LegalTech West Coast Opens in San Francisco Today


Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts and see the latest and most innovative products & services.

TRUSTe Assessment Manager was recently named a 2016 Legaltech Innovation Award Winner for Risk Management. The platform transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

Stop by booth #406 for a demo of the TRUSTe Assessment Manager platform or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

Find out more here

TRUSTe Privacy Risk Summit 2016 – Highlights

Privacy Risk Summit Highlight

250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.

The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.

The TRUSTe Privacy Risk Summit – Highlights

Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.Screenshot 2016-06-09 08.33.05

Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.

Screenshot 2016-06-10 10.37.10
Lively discussions and networking continued in the halls outside the breakout rooms.

Screenshot 2016-06-09 08.32.11Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.

Screenshot 2016-06-09 08.31.08

Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.

Screenshot 2016-06-09 08.29.16

Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Screenshot 2016-06-09 08.27.55Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!

Screenshot 2016-06-09 08.22.16

To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.


Engaging the Board is First Step Toward Privacy Risk Management – Summit Preview

Privacy Risk Summit

A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities and obligations are not appropriately addressed. In other words, directors should understand the risks and the business dependency on data governed by data protection and privacy regulations and what is on the horizon that could seriously impact the business, before it appears in the news. Four legal experts, from different industries and with different clients suggest ways to approach board education and persuasion when it comes to managing data.

Carly Alameda, Litigation Partner at Farella Braun & Martel LLP

“Even though boards of for-profit companies are often composed of sophisticated business people with a strong understanding of the company and industry they serve, they may not fully appreciate the particular cyber threats that exist. What data or information does the company possess that others may want, where is it, and how is it protected? What systems might be vulnerable to hackers? The board of directors needs to understand the answers to these questions as it applies to their company. Directors need to understand these risks so they can ask the right questions and fulfill their oversight role.”

Tom Widgery, Senior Director of Privacy and Information Governance at SVB Financial Group

“Financial services boards have become much more aware and concerned about data protection and the risks of security vulnerabilities in recent years. After all, it is a rare quarter when there is not a story about a security breach or hacking attempt in the news somewhere these days. Staying ahead of the board and anticipating questions on impacts to your organization from the current headlines is a challenge. The key to helping a financial services board is to latch on to an example that they understand, get their attention and leverage it to discuss the broader privacy implications that can lead to reputational risk.”

K Royal, Assistant General Counsel of Privacy and Compliance at CellTrust Corp.

“The key to being helpful to the board is to frame the concerns in a context to which the board members can relate. For example, when discussing issues around targeted behavioral advertising, the board members engaged with an example of Viagra. Not the one I would want to discuss necessarily, but one that all individuals had seen ads for and understood. What you need to avoid is dire predictions without a near-miss event. Individuals making significant decisions about a company become exhausted when faced with unrelenting risk. On the other hand, many privacy professionals present the ‘sunny’ side of their activities without providing a fair risk-based view. There is always a balance to hit, but mostly, board members want actionable items with a plan and measurable results.”

Olga V. Mack, General Counsel at ClearSlide, Inc.

“The board must have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Having a concrete, written plan in place is key to ensuring a company understands the issues, is maximizing its preventative efforts, and can react and put its best foot forward during an attack or breach event. Cyber attacks happen fast, and there may be the need for a company-wide response within hours, or less. The board should ensure the plan is sufficient to facilitate the necessary actions well in advance of any attack.”

For further discussion with Carly Alameda, Tom Widgery, K Royal, and Olga V. Mack please join the “Cyber-heist your Corporate Mindshare: How to Engage the C-suite and Board” panel at 2:35pm on June 8 at the TRUSTe Privacy Risk Summit 2016. Register here.


Understanding your privacy risk exposure in Latin America – Summit Preview

Screenshot 2016-05-16 23.03.02Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.

Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.


  1. No “one stop shop”

There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.

Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.


  1. “Habeas Data”

Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.


  1. Corporate governance and policies

 Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.


  1. Information and Consent

The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:

  • Personal information gathered,
  • A detailed explanation about what do the controller use the data for,
  • A list of transfers to third parties,
  • The name and address of the legal entity responsible for the database and
  • Procedures to exercise habeas data rights rights, among others.

Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).

Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.


  1. Rules on data transfers

The general rule is data transfers can only be made with prior consent from data subjects.

However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”

Some other countries, such as Mexico, allow international data transfers only if the controller company agrees (by a legal binding document) to process the information under a privacy policy in accordance with Mexican Law principles.

Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.



Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.



Privacy Risk Summit 2016 – Save The Date


We’re excited to announce the launch of the Privacy Risk Summit 2016, taking place in San Francisco on June 8.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to offer an expanded program with three parallel conference tracks focusing on the risks rising from technological and regulatory change and privacy risk management best practices.

 100% of attendees at EU Data Protection 2015 said the event had “met or exceeded their expectations”.

The Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address the top privacy risks and share proven strategies for success. We want you to be a part of it!

There are three main ways to get involved to take part in this year’s Summit.

Submit Speaker Proposal We are looking for dynamic speakers who can bring a unique perspective to privacy risk management for our audience and welcome submissions from a wide variety of roles in the privacy ecosystem. For this event we particularly welcome speakers that can share practical examples of how they have managed privacy risk in their organization. The deadline for submissions is February 28 2016 at 5.00pm (PT) Find out more details about the topics we’re looking to cover within the three tracks here.

Inquire about Sponsorships With an expected attendance of 200+ senior executives from privacy, legal compliance functions this is the ideal opportunity to demonstrate your thought leadership and solutions for privacy risk management. Request a copy of our sponsorship pack here.

Attend the Summit Join us for a packed day of keynotes, panels and case studies. Register here to benefit from the Event Launch special ticket price of $149 only available until March 7.

Check out the Privacy Risk Summit event website for further details and follow the conversation online using #PrivacyRisk.