Secure Digital Solutions, LLC
16 Jan 2017

Preparing for GDPR: Practical Guidance

Save the Date! Preparing for GDPR: Practical Guidance for Getting Started

Webinar: February 28th, 2017 10:30-11:15 a.m. CST

gdpr

images-2

If your firm provides products or services to residents of the European Union (EU), you are probably aware of the emerging operational challenges presented by the recently-enacted General Data Protection Regulation (GDPR) and its transatlantic reach to US-based organizations. With a looming compliance date set for May 25th, 2018, companies large and small are scrambling to address new compliance obligations.

For many organizations, getting started on GDPR compliance is the challenge of the moment. What sort of strategy is required to review and update operations against new data protection compliance obligations? How can time-constrained data privacy and security leaders secure the funding and support needed to meet the 2018 deadline?

Adam Stone of Secure Digital Solutions, LLC (SDS) is pleased to present the webinar Preparing for GDPR: Practical Guidance for Getting Started on February 28th, 2017 at 10:30 a.m. CST.

This webinar will help participants:

  • Understand preparation basics for GDPR compliance
  • Develop a plan for preparing and implementing GDPR controls
  • Identify available resources for GDPR preparation and implementation

Space is limited, so REGISTER NOW for this free 45-minute informational webinar. We look forward to your participation!

18 Jul 2016

Steps to Take Following Approval of EU Privacy Shield

Adam Stone, Privacy Officer
July 17th, 2016

 

Image Courtesy US Department of Commerce
Image Courtesy US Department of Commerce

After political wrangling and delays, the US Department of Commerce announced the adoption the EU-US Privacy Shield framework on July 12, 2016. For data privacy professionals serving organizations that conduct business in the European Economic Area (EEA), this announcement is an important one. The Safe Harbor inadequacy decision handed down by the European Court of Justice in late 2015 sent many US organizations – reliant on the venerable Safe Harbor self-certification program to attest adequate protections for cross-border data flows – into a mild panic. Privacy leaders were left with few attractive options to fill the vacuum left by the inadequacy decision.

Now that the Privacy Shield program is active, many are eager to assess their privacy programs in preparation for the August 1 registration opening. Though the process for Privacy Shield self-certification is similar to Safe Harbor, registrants will find a more robust set of requirements to meet based on a slightly revised set of guiding principles:

Privacy Shield (New Framework) Safe Harbor (Old Framework)
Notice Notice
Choice Choice
Accountability for Onward Transfer Onward Transfer
Security Security
Data Integrity and Purpose Limitation Data Integrity
Access Access
Recourse, Enforcement and Liability Enforcement

How can Secure Digital Solutions (SDS) help you?

Organizations planning to self-certify to the Privacy Shield framework (and take advantage of the grace period for early registrants) can benefit from an objective, third-party review of their data privacy programs. Secure Digital Solutions offers seasoned, IAPP-certified privacy professionals ready to provide effective and cost-efficient program assessments. SDS’ professionals guide privacy leaders with the data needed to make strategic decisions and operationalize privacy controls and processes.

Short on in-house data privacy experts? Contact SDS today to learn about our CPO-for-hire program. We provide executive-level data privacy resources at a fraction of the cost of retaining a large consulting or law firm.

24 Jan 2015

Privacy as Process Improvement

What, Why, and Who: The Essential Questions

By Patrick Midden, CIPP, CHPC, J.D.

Some companies see complying with privacy requirements as a roadblock; a hindrance; a problem to avoid. They think privacy regulations are too onerous, or too complex, or do not apply to them. These companies sometimes take a “stick your head in the sand” approach to privacy and hope everything just works out. But successful companies are learning that a privacy program doesn’t have to be a burden; implemented effectively, a privacy program not only reduces company risk, but it can help drive process improvements.

Most privacy regulations and frameworks provide ample room for interpretation as to how to implement an effective program.   Most of them, though, require at least asking some basic questions, including:

  • Why are you collecting and using personal information?
  • Do you need all of it?
  • Who should have access to it?

An effective privacy program will answer these questions and more. Answering these questions can help uncover inefficient processes. An effective program might uncover inefficiencies, such as:

  • Employees accessing sensitive information that is not needed to do their jobs.
  • Employees redundantly storing information in multiple systems without appropriate controls.
  • Employees manually updating information across multiple systems.

But how can a privacy program help improve these processes? Collecting less data means your employees will spend less time processing it. Giving employees access to the right data at the right time means they will spend less time looking for it. Storing less data requires less disk space, less archive space, and less processing time.

In addition, many employees do not take the time to understand what they are doing; instead, they just do what they were told to do by the last person to do their job. New requirements are layered on top of the old process without analysis, making the process more complicated and difficult to follow. Reviewing your procedures for privacy risks will help these employees understand what information is important, and what information is not. This review can lead to streamlining processes, cutting out steps that are no longer relevant, and optimizing the remaining steps.

Some examples of how a privacy program review could help include:

  1. An employee at Company A makes a daily back-up copy of sensitive data outside of the official back- up processes. No employee at Company A ever looks at these old files, nor needs them. This process is inefficient because Company A is paying the employee to spend time performing a function that is already controlled through a central process. The process is also inefficient because the employee is wasting company resources by redundantly storing data.
  2. Company B always includes a social security number on each customer record, even ancillary systems in which social security numbers are not relevant. Company B encrypts records containing a social security number. By removing social security numbers—and other sensitive data—from ancillary systems, such as customer satisfaction tracking systems, Company B can stop encrypting these databases, saving Company B time and money.
  3. Company C uses an inventory system that lists every patient who is waiting for medical supplies. Employees responsible for ordering these supplies can only determine what to order by logging into the primary care system and retrieving the appropriate patient records. By creating a daily report that lists all devices that need to be ordered, but not listing any patient information, the inventory staff can do their jobs more quickly, without accessing any patient information.

These are just some examples illustrating how integrating privacy program objectives into daily procedures can reduce the amount you need to spend on (1) data storage, (2) data processing, and (3) security. A thorough privacy review can even reduce the amount of time your employees spend performing their everyday tasks by helping streamline processes.

If you are interested in learning more please reach out to us at SDS.

24 Jan 2015

Observing 2015 Data Privacy Day

Practical Steps to Protect Your Privacy

By Adam Stone, SDS Privacy Practice Lead

January 28th marks International Data Privacy Day!  As such Secure Digital Solutions has provided the following as both educational and slightly entertaining content to assist in the general education of privacy awareness for data privacy day 2015.

DataPrivacyDayFor those not aware, January 28 is Data Privacy Day every year and 2015 is no exception. This occasion provides an opportunity for privacy nerds (like this writer) and regular folks alike to reflect on the changing face of personal privacy in our connected world. Rest assured dear reader, we will neither pontificate nor prognosticate on the legal and societal questions relating to the tradeoffs between convenience and personal space. We shall avoid thorny political subjects about civil liberties and national security. The fact is: In the virtual world, we must manage our privacy in ways similar to those in the real world; for we are the rulers and groundskeepers of our Islands of Privacy.

What can you do to manage your privacy and data security? Resources abound for those who are willing to search. In celebration of Data Privacy Day, the following list highlights some (certainly not all) of our favorites: