Your Path to GDPR Compliance | Step 2

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.   Step 2: Build Consensus In Step 2 of Your Path to GDPR Compliance, we address the most common …

View full post

The Privacy Implications of Home Monitoring – Summit Preview

The rapid rise of the Internet of Things—always-on devices equipped with sensors and transmitting chips that allow for the continual collection and communication of user-generated data—has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture and industrial channels. While each of these domains is sensitive, and necessitates the rigorous …

View full post
EmePrivacy Risk Summit 2016

Engaging the Board is First Step Toward Privacy Risk Management – Summit Preview

A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities …

View full post
Screenshot 2016-05-31 19.50.13

June Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK

Privacy Risk Summit 2016 June 8 San Francisco The 2016 Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address top privacy risks in the year ahead and share strategies for success. The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to bring …

View full post
TfL square

‘Mind the Gap’ Assessment – Transport for London chooses TRUSTe Assessment Manager

This week, Transport for London confirmed they have chosen TRUSTe as their privacy technology partner and will use TRUSTe Assessment Manager to prepare for the EU General Data Protection Regulation and implement their privacy assurance program. Transport for London is responsible for keeping a population of 8.4 million Londoners and millions more visitors to the …

View full post
Your Path to GDPR Compliance | Step 2The Privacy Implications of Home Monitoring – Summit PreviewEngaging the Board is First Step Toward Privacy Risk Management – Summit PreviewJune Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK‘Mind the Gap’ Assessment – Transport for London chooses TRUSTe Assessment Manager

Jun 09 2016

Your Path to GDPR Compliance | Step 2

Categories:

All

by

image001 (3)TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

 

Step 2: Build Consensus

In Step 2 of Your Path to GDPR Compliance, we address the most common next question, “what do I need to do to secure stakeholder commitment and resources for execution?”

Building consensus up-front is critical to the success of any privacy program within an organization and is not specific to the GDPR. Fundamental leadership principles and organizational decision-making come into play.

Because the GDPR has such a substantial impact on organizations – with significantly increased obligations, a stepped up regulatory enforcement regime, and potential fines of up to 4% of annual worldwide turnover (or revenue) – a GDPR program merits its own organizational awareness campaign.

In fact, “Awareness” is at the top of the list on the UK ICO’s (“Information Commissioner’s Office”) recently released guidance “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.” ICO’s guidance states, “You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

The guidance goes on to recommend that companies “use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming”.

To do so, you’ll need to:

  • marshal the evidence to support a compelling business case; and
  • plan and execute your GDPR awareness campaign to secure stakeholder buy-in.

 

 

What Evidence Do I Need to Tell the Story and Support a Compelling Business Case for GDPR Compliance?

As the privacy champion, you will have to tap your inherent mastery of the art of persuasion. This means gathering as much ammunition as you need to generate a sense of urgency and persuade key stakeholders that the GDPR warrants a strong compliance program. Below are several key messages that are critical to tell a compelling story, along with a list of helpful evidence to support each proposition.

 

The GDPR Impacts the Company…Posing Threats and Opportunities

  • An overview of the GDPR and what specific activity makes the company subject to the new regulation
  • Key organizational risks, fines & penalties, regulatory trends and likely enforcement landscape
  • Specific stories of privacy regulation violations and what that meant to the company and to the data subject who experienced the violation
  • Reports illustrating consumer sentiment and impact to business when brand is damaged via privacy violations
  • Benchmark reports and infographics to illustrate the GDPR risk and show that other companies are taking action in response
  • Stories of companies that used its strong privacy posture as competitive advantage

 

The Company Has Compliance Gaps That Require Remediation

  • The results of the initial GDPR Readiness Assessment to provide a Corporate Scorecard of where the company currently stands, with specifically identified gaps and risks
  • Any internal metrics / reports providing privacy breach incidents in the organization, any past regulatory inquiries or enforcement against the organization, history of the organization’s privacy training

 

The GDPR Program Proposed and the Level of Effort Required

  • Overview of the activities typically required to build a GDPR Response Program, including best practices and benchmark information from other companies
  • Summary of what it would take to close the gaps, including a rough time and cost analysis of the level of effort (LOE) to make operational changes, including training, monitoring, measuring, tech / process for privacy impact assessments and product development, contract reviews, privacy policy reviews, etc.
  • Proposed overview of how the GDPR program would operate, a rough timeline, methodology, and success metrics by which to measure progress

 

How Do I Plan and Execute an Effective GDPR Awareness Campaign?

Facilitate an internal kickoff and on-going planning sessions with relevant stakeholders across the organization. This initiative will be easier if you already have a designated privacy task force. If a committee is not already in place, you’ll need to start identifying and reaching out to stakeholders and key influencers. This should include senior leadership and, if possible, the CEO and Board Members. In addition, identify and invite colleagues with influence across functional areas from lines of business, legal, IT, InfoSec, HR, product development, engineering, marketing, and others.

Build and deliver a strong presentation leveraging all of the evidence gathered to tell the story. To be effective, this takes considerable preparation. Rather than go in with a dry recitation of the policy and regulatory requirements, experienced privacy practitioners recommend planning interactive and engaging sessions that may possibly even be considered a fun team-building exercise. Running your presentation by a subset of the group ahead of time to get feedback and tweak accordingly will help get stakeholders on your side before going into the kick-off meeting.

At the outset, it will be important to clearly state the following goals of the kick-off session:

  • Formalize GDPR program team structure / roles / responsibilities
  • Secure commitment that the GDPR program is a prioritized pillar / initiative aligned to the overall organization planning for the next couple years
  • Agree on short, medium and long-term goals of the GDPR program

  • Set measurable objectives with success criteria, key milestones

  • Based on a rough estimate of the level of effort (LOE), secure budget and resources

     

Schedule on-going planning meetings with a regular cadence to then develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress. These topics will be covered in our next blog post “Step 3: Develop Plan” and remaining steps in the TRUSTe “Your Path to GDPR Compliance” Education Series.

 

TRUSTe provides informational resources such as GDPR research and infographics that can serve as evidentiary assets in support of your efforts to build consensus. Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building privacy programs such as the GDPR, to help successfully prepare for and guide the important kick-off sessions. TRUSTe provides the GDPR Response Workshop, which is a half to full day of on-site interactive session led by TRUSTe Privacy Consultants custom-tailored to your organization. For more information on TRUSTe On-Site Privacy Workshops, click here to learn more.

This post has no tag

Jun 07 2016

The Privacy Implications of Home Monitoring – Summit Preview

Categories:

All

by

Screenshot 2016-06-07 07.50.19

The rapid rise of the Internet of Things—always-on devices equipped with sensors and transmitting chips that allow for the continual collection and communication of user-generated data—has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture and industrial channels. While each of these domains is sensitive, and necessitates the rigorous application of Privacy/Security by Design, few areas are more private than the inner sanctum of one’s home, which is increasingly becoming “connected” in various ways.

TRUSTe’s Privacy Risk Summit (this Wednesday, June 8th in San Francisco) features a session devoted to the privacy implications of home monitoring presented by Jill Bronfman, Director of the Privacy Tech Project and Adjunct Professor, University of California, Hastings College of the Law. In this final preview in our series, Darren Abernethy, Privacy Solutions Manager at TRUSTe, offers a brief introduction to some of the vulnerabilities and opportunities in the “smart home” space.

How We Arrived Here

The exponential proliferation of Internet of Things (IoT)-connected devices can be explained by the timely melding of various drivers and technological capabilities. The prevalence of low-cost sensors, advanced and inexpensive cloud computing platforms, social media, “big data” analytics, and increased spectral efficiency of wireless technologies and networks have all expedited the creation of more interconnected devices. The fact that these devices generate valuable user data that can be anonymized, aggregated and sold to marketers and other businesses in order to provide insights about customers and prospects, has made a consumer’s behavioral data from inside the home that much more treasured.

First, the Worst Case Scenarios

The Potential for Creepiness

When in the home setting, people are at their most vulnerable. There may be children around, conversations are had that are not meant for public consumption, and generally one’s guard is relaxed in ways it might not be at work or in public. And so, the “creepiness factor” can be high. This is no better reflected than in the chilling recent case of a man hacking a couple’s baby monitor to speak to a 3-year-old boy in his bedroom and control the night-vision-enabled video camera inside. Such a violation of privacy and decency highlights the fact that there will always be people who view connected devices as an attack vector ripe for exploitation.

Exploiting Vulnerabilities

And, aside from the unsettling manipulation of baby monitors, outsiders will no doubt look for ways to compromise connected garage doors and locks in order to gain physical entry into a home, or to demand payment of a ransom before allowing the owner re-entry. Moreover, even if a hacker does not wish to personally engage in further crimes first-hand, it is not hard to fathom a black market where IoT-related vulnerabilities for devices and individuals’ homes can be peddled.

Enter Voice and Facial Recognition

Voice, video and biometric capabilities are likewise becoming components of the smart home experience. Google recently announced its plans to enter the voice-controlled virtual assistant market (a la Amazon’s Echo) with Google Home, which “becomes a hub to run a home network of Internet-connected devices that collect millions, if not billions, of pieces of data—frequently.” Google Home enables two-way conversations, can interact with the Nest smart thermostat and will engage with other smart devices that, collectively, contain data indicating when someone is home or away, and information about an individual’s preferences and more.

Next, the Good News: Good Practices Build Customer Trust

Although no device or service unequivocally can be made 100% safe and impregnable, there are ascertainable steps that any company can take to mitigate the risk of creepiness, 3rd party exploitation and other smart home cybercrime.

As a threshold matter, companies must continually test and be aware of all of the data that a connected home device collects and transmits. When this data is appropriately categorized (e.g., non-PII vs. PII vs. sensitive PII; actively vs. passively collected; persistent identifiers; transmission medium, etc.), inventoried, and secured (e.g., encrypted and/or de-identified), and it is understood with whom the information is shared (vendors, service processors, partners, etc.) over which networks, then companies are better able to ensure security by building in appropriate controls. Ongoing monitoring throughout the lifecycle of a connected device, as well as accurate disclosures to consumers before and throughout usage of a product, are also requisites of building customer trust.

Open Questions at the Hearth of the Connected Home

This relatively nascent frontier of monitoring about and within the home raises as yet unanswered issues for privacy-aware consumers and regulators. These include:

  • What limits, if any, are needed around the granular profiling of individuals from combined IoT-device data collected on a single platform (including, e.g., protected health information or geolocation)?
  • Should a special regulatory status be afforded to data collected in the home?
  • Where do advertisers and marketers fit into the connected home landscape?
  • How can meaningful notice and consent be provided in the IoT home setting?
  • What of unknown or future secondary uses of connected home data?

For insights and analyses of these issues and more, be sure to check out this week’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.

 

Tags: , , , ,

Jun 01 2016

Engaging the Board is First Step Toward Privacy Risk Management – Summit Preview

Categories:

All

by

Screenshot 2016-05-16 23.03.02

A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities and obligations are not appropriately addressed. In other words, directors should understand the risks and the business dependency on data governed by data protection and privacy regulations and what is on the horizon that could seriously impact the business, before it appears in the news. Four legal experts, from different industries and with different clients suggest ways to approach board education and persuasion when it comes to managing data.

Carly Alameda, Litigation Partner at Farella Braun & Martel LLP

“Even though boards of for-profit companies are often composed of sophisticated business people with a strong understanding of the company and industry they serve, they may not fully appreciate the particular cyber threats that exist. What data or information does the company possess that others may want, where is it, and how is it protected? What systems might be vulnerable to hackers? The board of directors needs to understand the answers to these questions as it applies to their company. Directors need to understand these risks so they can ask the right questions and fulfill their oversight role.”

Tom Widgery, Senior Director of Privacy and Information Governance at SVB Financial Group

“Financial services boards have become much more aware and concerned about data protection and the risks of security vulnerabilities in recent years. After all, it is a rare quarter when there is not a story about a security breach or hacking attempt in the news somewhere these days. Staying ahead of the board and anticipating questions on impacts to your organization from the current headlines is a challenge. The key to helping a financial services board is to latch on to an example that they understand, get their attention and leverage it to discuss the broader privacy implications that can lead to reputational risk.”

K Royal, Assistant General Counsel of Privacy and Compliance at CellTrust Corp.

“The key to being helpful to the board is to frame the concerns in a context to which the board members can relate. For example, when discussing issues around targeted behavioral advertising, the board members engaged with an example of Viagra. Not the one I would want to discuss necessarily, but one that all individuals had seen ads for and understood. What you need to avoid is dire predictions without a near-miss event. Individuals making significant decisions about a company become exhausted when faced with unrelenting risk. On the other hand, many privacy professionals present the ‘sunny’ side of their activities without providing a fair risk-based view. There is always a balance to hit, but mostly, board members want actionable items with a plan and measurable results.”

Olga V. Mack, General Counsel at ClearSlide, Inc.

“The board must have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Having a concrete, written plan in place is key to ensuring a company understands the issues, is maximizing its preventative efforts, and can react and put its best foot forward during an attack or breach event. Cyber attacks happen fast, and there may be the need for a company-wide response within hours, or less. The board should ensure the plan is sufficient to facilitate the necessary actions well in advance of any attack.”

For further discussion with Carly Alameda, Tom Widgery, K Royal, and Olga V. Mack please join the “Cyber-heist your Corporate Mindshare: How to Engage the C-suite and Board” panel at 2:35pm on June 8 at the TRUSTe Privacy Risk Summit 2016. Register here.

 

Tags: , , , , ,

Jun 01 2016

June Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK

Categories:

All

by

Screenshot 2016-05-31 19.49.31

Privacy Risk Summit 2016

June 8

San Francisco

The 2016 Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address top privacy risks in the year ahead and share strategies for success.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to bring you an expanded program with three parallel conference tracks focusing on risks rising from technological and regulatory change and privacy risk management best practices.

TRUSTe is hosting this event. We invite you to join us in San Francisco this summer for a packed day of inspiring keynotes, dynamic panel presentations and interactive workshops.

> Register here

 

Legaltech West Coast

June 13 – June 14

San Francisco

Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts, see the latest and most innovative products & services.

TRUSTe is exhibiting and speaking this event. Stop by booth #406 to see the latest privacy compliance tools or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

> Register here

 

AIIM Forum UK

June 22

London

The AIIM Forum UK is a free independent event brought to you by AIIM International, to deliver thought leadership, market insights and expert advice through a one-day program of educational seminars and a major showcase of the latest information management innovations.

TRUSTe’s Ralph O’Brien will be speaking on Wednesday, June 22, 4.05 – 5.00pm on the panel discussion, “Europe, Privacy & the New General Data Protection Regulations”. Key discussion points will be the legal requirements and timescales of the GDPR, plus further exploration of provisions such as the ‘Right to be Forgotten’, the ‘Right to object to Automated Processing’ and ‘Privacy by Design’, data portability vs data sharing, information governance, risk management and other commercial impacts that will affect all organizations operating in Europe.

> Register here

 

Tags: , ,

May 27 2016

‘Mind the Gap’ Assessment – Transport for London chooses TRUSTe Assessment Manager

Categories:

All

by

TfL wide

This week, Transport for London confirmed they have chosen TRUSTe as their privacy technology partner and will use TRUSTe Assessment Manager to prepare for the EU General Data Protection Regulation and implement their privacy assurance program.

Transport for London is responsible for keeping a population of 8.4 million Londoners and millions more visitors to the city, on the move through key services (and iconic brands) such as the London Underground, London buses, rail services, river boats and Santander Cycles. They also manage over 580km of roads, operate two road user charging schemes and regulate the taxi and private hire trades. Virtually everyone who visits, lives or works in London will use at least one of these services and with increasing volumes of customer data being collected, privacy is a top priority.

James Newman, Privacy and Data Protection Manager at Transport for London (TfL) said:

I’m delighted that TRUSTe has emerged from a rigorous competitive tender process as the delivery partner for TfL’s new privacy assurance solution. TRUSTe Assessment Manager will now play a key role in TfL’s privacy assurance programme and our ongoing preparations for the implementation of the GDPR.

TRUSTe Assessment Manager transforms how companies assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry and was recently named a 2016 Legaltech Innovation Award Winner for Risk Management.

Find out more here and contact us for a demo today.

 

Tags: , , , , ,

May 26 2016

Your Path to GDPR Compliance | Step 1

Categories:

All

by

image001 (3)There are a lot of great resources out there summarizing all of the new requirements under the GDPR (see IAPP, other resources).  But once you see the long and dizzying list of new requirements, it’s easy to get overwhelmed.  Fear not, there are ways to tackle it one step at a time.

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

While May 25, 2018 – the compliance deadline – may seem like a long way off, many items will likely take your organization considerable time to implement so it’s wise to start the process now.  Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.

 

GDPR Compliance:  Step 1 – Assess Readiness

The very first thing to do is Assess – Are you impacted?  Where do you stand?  

Are you impacted?

You may be thinking, I don’t need to worry about the GDPR because it doesn’t impact my organization.  We don’t have offices or do business in the EU.  But the GDPR includes a significant increase in scope over prior EU data protection law that makes it “extra-territorial” or beyond just being located or doing business in the EU.

This means, you need to take a closer look.  Specifically, you should ask three threshold questions:

  1. Do you “offer goods or services to EU residents”?
  2. Do you “monitor the behavior of EU residents”?
  3. Are you a “Data Processor” (one who processes the data on behalf of the Data Controller) of EU resident “personal data” (any information relating to an identified or identifiable natural person (“data subject”)?

If you answered, “yes” to any of the above, then you’re impacted and need to start taking steps toward compliance.  Some things to keep in mind:

  • The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens.
  • By including the scope of the GDPR to include “monitoring the behavior of EU residents”, this makes the applicability net as wide as it can get.  Practically every website and app out there tracks digital activities of its visitors.  Even though you may not be actively targeting and monitoring EU residents, if you have a website or app that tracks who visits and an EU resident happens to find their way to your digital property from within the EU, you’re impacted.  Moreover, monitoring of behavior can be applied more broadly and include profiling that leads to actions that analyze or predict personal preferences, attitudes and / or behaviors.  Thus, the GDPR impacts targeted behavioral advertising and other data analytics.
  • The GDPR now extends due diligence obligations and potential liability to Data Processors, not just Data Controllers.  This has major impacts to cloud companies that process data on behalf of others, especially as the definition of “personal data” is now broadened and includes info like IP addresses, cookie strings, and mobile device IDs.

 

Where do you stand?

Now that you know that you’re impacted, you need a way to self-diagnose.  You could leverage a controls checklist, build one yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool.  Whatever self-diagnosis path you choose, you need to make sure it includes a fairly comprehensive list of the requirements so you have confidence that your assessment is thorough.

This initial GDPR assessment should guide you through GDPR operational requirements under the following areas, with particular emphasis on what’s new:

  • Transparency (i.e., Privacy Policy).  This centers on the language in your Privacy Policy.  It needs to be in “clear and plain language”, i.e., easily understood by users and not buried under a morass of legalese.  A whole host of new language must also be included, e.g., rights of data subjects, contact details of a Controller’s representative or DPO (Data Protection Officer), among others.
  • Collection and Purpose Limitation.  An assessment should check on whether the info collected is necessary and relevant, with particular scrutiny around information that is sensitive, involves criminal convictions or offenses, or is collection from children under the age of 16.
  • Consent.  The consent requirements under the EU Cookie Directive still apply regarding the use of cookies and similar tracking technology.  In addition, there are consent requirements prior to Data Processing, including details for when you need explicit and informed consent, or when you must provide user controls for preferences and withdrawal of consent.
  • Data Quality.  This centers on steps taken to ensure accuracy of data and processes for deleting or correcting it.  
  • Privacy Program Management.  This is a major area requiring a multitude of operational changes – e.g., documentation of your legal basis for Cross-Border Data Transfers, PIA Programs for new products or “high risk” processing, processing activities requiring the designation of a DPO, and due diligence obligations and contracts for Onward Transfers, to name a few.
  • Security in the Context of Privacy.  This includes requirements on the use of industry-standard encryption technologies for sensitive data, systematic destruction, erasure or anonymization of data, and documentation on security programs.
  • Data Breach Readiness and Response.  A documented privacy and security Incident Response Plan is essential, particularly because there are significant new data breach notification requirements (e.g., controllers must notify supervisory authority within 72 hours).
  • Individual Rights & Remedies.  The GDPR expands individual control with new rights, e.g., the “Right to be Forgotten” (data erasure), “Right to Data Portability” (to transmit data to any other controller), enhanced rights around processing (notice, access, rectification, objection) and filing complaints.

 

What now?

The GDPR Readiness Assessment, powered by TRUSTe Assessment Manager includes all of the above modules.

GDPR Report ImageThe result includes real-time findings to show what requirements you currently meet, a gap analysis to show what’s not yet covered, and operational recommendations to close the gaps.  This gives you a solid handle on where you currently stand and is critical for the next step in the Path to GDPR Compliance … to be covered in our next blog post Step 2: Build Consensus.

Visit https://www.truste.com/business-products/gdpr-privacy-solutions/ for more information on TRUSTe GDPR Solutions.

This post has no tag

May 25 2016

Understanding your privacy risk exposure in Latin America – Summit Preview

Categories:

All

by

Screenshot 2016-05-16 23.03.02Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.

Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.

 

  1. No “one stop shop”

There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.

Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.

 

  1. “Habeas Data”

Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.

 

  1. Corporate governance and policies

 Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.

 

  1. Information and Consent

The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:

  • Personal information gathered,
  • A detailed explanation about what do the controller use the data for,
  • A list of transfers to third parties,
  • The name and address of the legal entity responsible for the database and
  • Procedures to exercise habeas data rights rights, among others.

Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).

Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.

 

  1. Rules on data transfers

The general rule is data transfers can only be made with prior consent from data subjects.

However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”

Some other countries, such as Mexico, allow international data transfers only if the controller company agrees (by a legal binding document) to process the information under a privacy policy in accordance with Mexican Law principles.

Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.

 

Conclusion

Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.

 

 

Tags: , , , ,

May 23 2016

Privacy Risk Summit Preview: Privacy by Design for IoT

Categories:

All

by

Screenshot 2016-05-23 07.56.26

The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.

However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers.  TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.

The Internet of Things Continues to Grow Exponentially

The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.

Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.

The Connected World Requires Pre-Conceived Privacy by Design

A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.

There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:

Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).

Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.

Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.

Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.

Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.

The Future of IoT Privacy by Design

As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.

Tags: , , , , , , , ,

Older posts «