It was a busy but fantastic week for TrustArc in the Belgian capital at the annual International Association of Privacy Professionals Europe Data Protection Congress.
TrustArc began the conference with the announcement of its acquisition of privacy industry heavyweight Nymity. The companies have joined forces to accelerate development of the next generation of technology-driven privacy solutions. The news was received with overwhelming excitement by conference goers and news media, and will usher in incredible new content and product synergies for current and future customers.
In addition to countless conversations with friends old and new from organizations of all sizes, industries and geographies, as well as with officials from the public sector and regulatory bodies, TrustArc and Nymity also participated in the conference’s educational and information sharing efforts.
TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall, shone on the “Little Big Stage” where she unveiled the results of an IAPP-TrustArc survey report entitled “Measuring Privacy Operations in 2019.” The survey gauged what global privacy professionals–from organizations ranging from less than 250 employees to more than 25,000 employees–have done to meet increasing data privacy compliance requirements to which their organizations are subject.
Alongside IAPP Research Director, Caitlin Fennessy, Hilary performed a deep dive for a standing room-only audience, going over the report’s revealing findings and trends with respect to whether companies are adopting a single global privacy strategy (versus more regional or local implementations); what types of privacy impact assessments they conduct; how many privacy laws they currently must comply with; whether the companies have made any privacy-related operational changes within the last 12 months, and much more.
Nymity EU Operations and Strategy Director Paul Breitbarth participated on three separate panels during the conference. Paul stepped on to the Little Big Stage on Wednesday morning and explained how Nymity turns compliance data into knowledge for any team in an organisation. On Wednesday evening, Paul joined his fellow panelist to discuss “Using your Register of Processing Activities to Demonstrate Compliance.” The panel provided and examined real-world examples of the challenges faced by global organisations and what they do to overcome them. As Data Protection Congress was coming to a close, Paul joined the panel on “Artificial Intelligence: From Principles to Practice” and spoke on how companies get from overarching ethical principles to a robust legal framework.
Darren Abernethy, TrustArc Senior Counsel, also led a session entitled “Winning with Privacy: Implementing Consent and DSARs to Comply AND Win Customers.” The panel first overviewed the basics of digital advertising; then addressed the various “cookie”- and ePrivacy Directive-related guidances released in the last year, including by EU privacy regulators from the U.K., France, Germany and Spain; then discussed the role of third-party cookies and consent under the California Consumer Privacy Act, as well as the importance of website cookie audits (including to help make determinations as to “service provider” vs. “third party” status for vendors); and offered practical tips on how to set up compliant and responsive DSAR/individual rights programs within organizations.
The panel spent time showing real-world examples of how cookie consent and individual rights implementations look on actual digital properties “in the wild,” providing the audience with collective insights from the panelists’ extensive experience with exactly these matters, including their use of scalable, automated technology solutions across privacy programs to account for local variations in legal requirements.
If you would like copies of slides from the above presentations, or would like to discuss how TrustArc’s Cookie Consent Manager or Individual Rights Manager may be leveraged to facilitate your company’s privacy compliance and data value maximization, we welcome you to contact TrustArc at any time for more information.
TrustArc and the International Association of Privacy Professionals (IAPP) announced the results of new benchmarking research that examines the current state of privacy operations. The research shows that a majority of companies are adopting a single global data protection strategy to manage evolving legal requirements, and that managing the expanding ecosystem of third parties handling data has become a top priority.
“The data outlined in this study demonstrates, once again, that privacy is not a one-off endeavor,” said Trevor Hughes, CEO and president of the IAPP. “Privacy management is an increasingly complicated industry. As a result, the role of privacy professionals is taking center stage. Our research highlights how they must act as stewards for implementing the processes and technologies required to ensure scalable compliance across an ever-growing ecosystem of data from partners, customers, and vendors.”
Evolving Ecosystem of Partners, Customers, and Vendors Driving Risk Assessment Processes
Vendor and third-party risk assessments ranked first among privacy assessments globally, with 78 percent of U.S. respondents reporting that they now conduct them. That figure indicates the growing complexity of the ecosystem now impacting compliant data privacy management.
“The CCPA will be the toughest privacy law this country has seen to date, expanding the rights of consumers and their data,” said Chris Babel, CEO of TrustArc. “This survey reinforces what we continue to see and hear from our thousands of customers: that privacy management is getting more complex. That’s why we continue to lead the charge in building the technology solutions and enabling the infrastructure integrations necessary to make compliance automated and scalable.”
To understand the different types of privacy operations across regions, company size and industry, TrustArc and the IAPP surveyed close to 350 privacy professionals in the U.S., EU, UK and Canada.
Key findings from the survey include:
U.S. companies comply with more laws than EU counterparts, which focused primarily on GDPR
- 79% of respondents report complying with two or more privacy laws, while only 16% are focused on just one.
- 10% report actively working to comply with 50 privacy laws or more at once, while 13% are working on 6-10 laws, and another 13% on 11-49 laws.
- EU respondents were more likely to report actively working to comply with five or fewer privacy laws, while U.S. respondents were more likely than their EU counterparts to be complying with 11 or more laws.
- Significantly more EU+UK respondents (81%) conduct Data Protection Impact Assessments as compared to U.S. respondents (53%).
Majority pursuing a single, global data protection strategy
- 56% of respondents across all geographies are working toward a single, global data protection and privacy strategy for data subjects’ rights.
- Only 28% of U.S. companies and 21% of EU+UK companies categorize data subjects by jurisdiction and geography and handle each data subject’s data according to the laws that apply to that individual.
- A majority of EU+UK respondents report serving customers in only one region (22%) compared to U.S. respondents (11%).
Growing complexity is driving operational changes to privacy programs
- 42% deleted personal data more regularly; more so among EU+UK respondents (56%) than U.S. (44%).
- 21% converted from an opt-out to an opt-in email marketing strategy across geographies; vastly more so in the EU+UK (30%) compared to US respondents (13%).
To download the complete findings, click here.
About the Research
The survey was fielded in the fall of 2019 to the IAPP Daily Dashboard newsletter, which reaches more than 60,000 subscribers from around the globe. The results are based on responses from 327 privacy professionals (primarily in-house in privacy, legal and compliance functions) based in the U.S. (43%), EU/Non-UK (24%), UK (13%), Canada (9%), Asia (4%) and Other Countries (7%). Company size ranged between 1-250 employees (25%), 251-1,000 (17%), 1,001-5,000 (20%), 5,001-25,000 (19%), and 25,000+ (19%). Respondents represent a variety of industries, split between sectors traditionally regulated for privacy (e.g. health care, financial services and banking, insurance) at 35% and sectors traditionally not subject to privacy regulation (e.g. technology and software, manufacturing) at 33%. Those working in legal or consulting services made up 16% of respondents, with another 11% representing governmental or non-profit organizations.
TrustArc regularly attends and hosts events around the world and online – please visit us at one or more of the following events.
IAPP CCPA Comprehensive Live 2019
The California Consumer Privacy Act will come into effect on January 1, 2020. That gives you very little time to get a lot of work done to comply with this sweeping legislation expected to carry harsh enforcement and fines.
he IAPP CCPA Comprehensive Live 2019 November 7 in New York will provide practical, in-depth CCPA-specific training presented by IAPP experts that will help operationalize your commitment to CCPA compliance.
TrustArc will be sponsoring and exhibiting at this event. Stop by the TrustArc table to say hello!
Learn more here
Privacy Insight Series Webinar
How to Comply with CCPA as Part of a Global Privacy Strategy
November 13 @ 9am PT | 12pm ET | 4pm GMT
With the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other laws such as the Brazilian General Data Protection Law (LGPD), businesses must be prepared to comply with a variety of laws around the world.
Privacy is a complex, multi-level, concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.
This webinar will help answer questions like:
- What are the additional privacy laws outside of the GDPR and CCPA law requirements you need to be aware of?
- How do you manage all data privacy to meet all applicable global requirements?
- How do you implement a multi-jurisdictional custom approach to address all applicable laws and regulations?
> Register here
IAPP Europe Data Protection Congress
In a year of enforcement action, fines and litigation, the Congress keeps your operation a step ahead.
Europe’s top event in data protection law and policy returns to Brussels, home of the IAPP’s European headquarters, 20-21 Nov. Privacy profession will gather for wide-ranging discussions of strategic developments in regional and international data protection, plus training classes and a deep-dive workshop day preceding the main conference dates.
TrustArc Senior Counsel Darren Abernethy will be speaking on “Winning with Privacy: Implementing Consent and DSARs to Comply AND Win Customers” on 20 November at 17:00.
TrustArc will be sponsoring, speaking and exhibiting at this event. Stop by the TrustArc booth to say hello!
> Learn more here
After introducing the 2019 Privacy Tech Adoption Report in part I of this blog post series and illustrating the differences in buying roles between the IT office and the privacy office in part II, we are pleased to share the final post of this series. Part III of this blog series will share the top three fastest growing tech tools, and outline how you can gain influencing power when it comes to product acquisition.
The increasing complexity of business in the digital world, coupled with a growing list of global privacy frameworks, has increased the need for organizations to adopt solutions that demonstrate compliance and are scalable and efficient. In fact, according to the report, 92% of organizations say need to demonstrate compliance is motivation for technology adoption. To help manage this complex regulatory landscape, privacy professionals have turned to tech tools. The top purchase plans for the next twelve months include a spread across 11 different product categories, but the fastest growing are data mapping / flow (24%), data discovery (23%), and assessment management (20%).
Why data mapping and data flow?
One of the most important steps to build and manage a data privacy program is to create an inventory of all of the personal data processing activities within a company. If an organization does not know the type of data they collect and how it’s shared, processed and stored; or the data inflows and outflows, it is difficult to know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides
in order to be able to efficiently respond to situations where individuals may exercise their personal data rights, for example, data subject access requests (DSAR). As privacy and data protection regulations expand, companies need to demonstrate how they reduce and
manage risk. Building and maintaining a data inventory is an essential first step. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and DSARs.
Why personal data discovery?
With regulations like GDPR and CCPA, individuals have the right to request personal data collected on them. Anytime this happens, privacy professionals are forced to spend countless hours looking for personally identifiable information (PII) of customers, employees and partners. To alleviate these time-consuming activities, privacy pros are turning to privacy tech tools with the right integrations and automation in all the right places.
Why privacy program assessment and management?
No matter what industry you are in, the size of your organization, or the maturity of your privacy program, conducting regular privacy assessments is important to understand and ensure compliance. These assessments need to address a wide range of legal requirements and best practices and will help build an action plan to identify gaps and define and manage remediation activities. This solutions brief reviews some of the most common types of privacy assessments and provides tips and tools on how to automate and efficiently manage the process.
Discover how your peers are buying and deploying privacy technology by downloading the report.
Want to learn more? Join us for a web conference: “How Privacy Tech Is Bought and Deployed (2019)” – Tuesday, Oct. 15, 2019
Sit down and listen to privacy leaders discuss findings from this report, as well as how these findings illuminate what we are seeing in the market. Register for this webinar to learn:
- What technology is truly in use versus what is still far from the mainstream.
- Which tools are better suited to reside within the privacy office rather than being housed in IT or infosec.
- How technologies with built-in security applications fare against newer privacy-office-specific solutions.
Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP
Jedidiah Bracy, CIPP, Editorial Director, IAPP
Hilary Wandall, CIPP/E, CIPP/US, CIPM, FIP, SVP Privacy Intelligence and General Counsel, TrustArc
TrustArc had the pleasure of sponsoring, speaking and exhibiting at IAPP Privacy.Security.Risk 2019 in Las Vegas last week. With over 2,000 attendees, 225 speakers and 30 exhibitors, the conference was bustling with privacy professionals from all over the world.
TrustArc co-hosted a welcome reception with RadarFirst on Monday evening to officially kick off the conference. Privacy professionals packed into the speakeasy-inspired Barbershop lounge to network and catch up over swanky cocktails.
On Monday evening, TrustArc SVP of Product Michael Lin stepped on to the Little Big Stage to discuss how businesses use the TrustArc Platform to automate and manage global privacy compliance for regulations such as GDPR, CCPA, LGPD and many others. Michael spoke on the evolution of privacy and the value of using technology to simplify privacy compliance as the privacy ecosystem becomes more complex.
On Tuesday afternoon, TrustArc SVP Privacy Intelligence and General Counsel Hilary Wandall spoke on “Demystifying the Role of Automated Intelligence in Privacy Management.” In her interactive session, Hilary explored how the privacy industry can leverage the benefits of artificial intelligence and machine learning to drive efficiencies in privacy program management.
In the exhibit hall, TrustArc privacy experts were busy discussing privacy compliance challenges with attendees at the dynamic TrustArc booth. Attendees participated in live demos and learned how TrustArc simplifies compliance through privacy-tech solutions.
Overall the conference was a great opportunity for privacy-minded professionals to learn, network and share ideas on current and upcoming privacy challenges. We look forward to partnering with the IAPP at upcoming events. Come say hello if you will be attending the IAPP ANZ Summit in Sydney, IAPP CCPA Comprehensive Live in New York or IAPP Europe Data Protection Congress in Brussels.
Check out what other events TrustArc will be at in 2019!