TrustArc Privacy and GDPR Compliance Research Report– Part 2 of 3

Part 2 of our three part series reviews results from the TrustArc / Dimensional research report on the status of U.S. Privacy and GDPR Compliance Programs.

  • To review Part 1, the General Privacy Market Results, click here
  • Part 3 will include Privacy Program Implementation Results.
  • In Part 2 of this series, we will share the GDPR Compliance Results.

For all companies responding, approximately 40% are still designing their GDPR plan and only about 10% have GDPR plans well underway. Many companies have a significant amount of GDPR implementation ahead of them.

Responding companies have set aside relatively large budgets for GDPR compliance for 2017-2018. For all companies responding, the #1 budget amount cited was between $100,000 to $500,000 (42%), with the #2 budget cited between $500,000 and $1,000,000 (23%). GDPR compliance budgets of over $1 million accounted for 9% of small companies, 19% of mid-size companies and 23% of large companies.


Nearly 1 in 4 large companies plan to spend over $1 million on GDPR compliance.


GDPR investments will go to a wide range of initiatives including consultants, internal hiring, and additional technology and tools.


In Part 3 of this series, we will reveal program implementation results. To read the full results now, download a copy of the TrustArc “Privacy and the EU GDPR” research report, click here.


What you Need to Know About the GDPR: Practical Steps to Address GDPR Compliance


While some organizations have written about the impending GDPR deadline and potential fines, or re-printed an exact copy of the text itself, TRUSTe has taken the 200+ pages of the GDPR and translated it into practical implementation steps for an organization of any size or maturity.

The implementation steps are grouped into five actionable phases:

  1. Building a Program and Team
  2. Assessing Risks and Creating Awareness
  3. Designing and Implementing Operational Controls
  4. Managing and Enhancing Controls
  5. Demonstrating Ongoing Compliance

A sample implementation step is developing a DPIA program, which includes creating templates, conducting DPIAs, managing remediation, and providing compliance reports.

The guide also includes references to specific articles, best practices tips, and which stakeholders in your organization should be involved with each implementation step. Because involving stakeholders outside of the privacy office can sometimes require speaking the language of the department you are trying to engage, the guide also includes examples of how compliance can benefit various departments:

  • Information Technology: identifying storage redundancies can reduce IT complexity and save IT dollars.
  • Information Security: understanding what data reside in which systems can help Security prioritize their protection efforts and establish appropriate access controls.
  • Operations: visualizing flows and uses of data throughout the company can help Operations identify redundancies and improve efficiencies.
  • Procurement: identifying points at which the company shares information with third party vendors and understanding the sensitivity of the data being shared can help procurement approach third party management and contracts in a risk-based, efficient approach.

Tips like these will enable your organization to begin implementation items today. Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.

Get this GDPR Essential Guide to help you on your path to GDPR compliance.

If you need technology solutions backed by expert privacy consultants that can help your organization with its GDPR needs, contact us today to learn more.

Argentina GDPR-like Data Privacy Bill

As previously described in our blog post “Doing Business with Argentina Just got Easier, change appears afoot in the land of silver’s data protection law, in order to keep pace with evolving digital technologies and global regulatory regimes.

Whereas in December 2016 the Argentine Data Protection Agency (DPA) issued a report proposing changes to the national Data Protection Act (Act) after nearly a year of public consultation, this month the DPA released a draft bill to update the sixteen-year-old Act in line with many of the European Union’s General Data Protection Regulation (GDPR)’s new requirements taking effect in May 2018.

That the Argentine DPA would model its bill after the GDPR is not surprising, given that Argentina was the first Latin American country to be recognized as being “adequate,” i.e.,  providing data protections essentially equivalent to those of the EU.  

The DPA will accept comments here on the proposed amendments to Law No. 25,326 through February 24, 2017.  

The Spanish-language draft bill may be read here.

Proposed Updates to Argentina’s Data Protection Act

Some of the Argentine data protection draft bill’s new provisions will be familiar to prospective GDPR practitioners, such as dispensing with a database registration requirement and solidifying the DPA’s independence from any other governmental entity.  

Many businesses will be pleased to note the inclusion of Binding Corporate Rules (BCRs) as a legal basis for cross-border data transfers, as well as the establishment of non-consent-focused legal grounds for data processing, such as when processing is undertaken pursuant to the “legitimate interests” of the data controller.

While the GDPR’s Article 8 sets a default age of 16 for child consent but allows for EU Member States to set the age as low as 13 years old, the Argentine bill would allow for processing of the personal data of a child under 13 with parental consent.

Other key changes include the addition of definitions for genetic data and biometric data; the limiting of what constitutes a “data subject” to be only individuals–rather than corporations and other legal entities; new rules revolving around credit reporting; and new sections on data protection impact assessments, DPOs, data breaches and cloud computing.

With the executive and legislative processes still to play out, experts expect a likely 2018 date before the revised law would be enacted.

For further information on trends in Latin American data protection laws, GDPR compliance tools and automating privacy impact assessments, contact TRUSTe today.


Webinar Recap: Best Practices to Create a Data Inventory and Meet GDPR Compliance

Screen Shot 2017-01-25 at 9.06.50 AM

Yesterday we had Ray Everett, Principal Consultant (US), TRUSTe, Veronika Tonry, President, Privacy KnowHow, former Global Privacy Manager at Chevron and Applied Materials, and Guy Sereff, Corporate Counsel, Level 3 Communications share which tools and resources companies are using to conduct data inventories.

Our speakers shared some of the biggest “lessons learned” from when they conducted Data Inventories for the first time, so that you can avoid them.

  • There is no “one size fits all” approach – you should conduct these exercises in a way that fits with your company culture.
  • Once you’ve received the support for the project, make sure you identify roles and responsibilities before any work begins. For example, what will the project manager, business unit leads, and subject matter experts be responsible for?
  • Setting realistic expectations for the level of effort required to complete the project will keep it moving along and on track.

Additional insight shared by our speakers included benefits to other departments outside of privacy that are gained with conducting Data Inventory and Mapping. While the legal, regulatory, and compliance departments all gain ground with EU GDPR compliance, finance, IT, security, and development teams will benefit too. Identifying storage redundancies can save the finance department money, and the IT department headaches. The security team can pinpoint which data and business applications need to be protected. The development team can kickstart a discussion of Privacy by Design because they can see which applications are sharing information early in the development phase, and address any privacy concerns early on. Data Inventory and Mapping is an exercise that can bring benefits to the entire organization.

If you missed it, you can still listen to the full recording here.

TRUSTe Data Inventory and Mapping Solution combines privacy consulting expertise, our proven methodology, and powerful technology tools to help businesses meet privacy regulations like the EU General Data Protection Regulation (GDPR) and minimize data governance risk across the enterprise.


Newly Released EU GDPR Guidance


The EU GDPR goes into effect in May, 2018. While that may seem far away, for many organizations the changes required to become compliant with the new law will take several quarters to implement. Some of the larger changes required will deal with the new “Right to Data Portability”, Identifying a lead supervisory authority, and appointing a “Data Protection Officer.”

The Article 29 Working Party (WP29) has just released guidance on these three requirements. The guidance is summarized below, along with links to the full documents.

1) Right to Data Portability

Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.

2) Identifying Lead Supervisory Authority

If your organization conducts cross-border data processing, or is unsure whether it does, this guidance provides examples, key concepts to identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.

3) Data Protection Officer

WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:

a) where the processing is carried out by a public authority or body

WP29 guides that “such a notion is to be determined under national law.”

b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.

These factors should be considered when determining whether the “large scale” threshold is met:

– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population

– The volume of data and/or the range of different data items being processed

– The duration, or permanence, of the data processing activity

– The geographical extent of the processing activity

This blog post highlights some of the guidance issued by WP29, but the full documents contain additional insight and helpful examples. To learn more about TRUSTe EU GDPR solutions, or to speak with a consultant, contact us.