Cyber risk, information security, privacy and compliance services to business thought leaders.
02 Aug 2018

Is Your Business in Scope for the California Consumer Privacy Act?

                                                                                                                                                                                                                          Image Courtesy of Pixabay.com

August 1st, 2018
Adam Stone, Principal and Chief Privacy Officer

Just as business leaders started acclimating to the data privacy requirements in the EU’s General Data Protection Regulation (GDPR), along comes a new and equally robust privacy law from the Golden State. Passed with impressive velocity and approved by Governor Jerry Brown on June 28, the California Consumer Privacy Act of 2018 (CaCPA, or “kak-pah“) raises the data privacy bar for businesses that profit from or otherwise collect, use and share personal data about California residents. In a borderless digital economy, where a business is domiciled no longer matters. The extrajurisdictional reach of CaCPA means that businesses of all sizes may fall under the statute if they provide goods or services to Californians. And who doesn’t nowadays?

Long the policy vanguard for data privacy, California generally sets the tone for the rest of the country. Once effective, many privacy experts believe that CaCPA will move organizations (especially tech-focused firms) towards a data protection regime similar to GDPR. Operating from the constitutional position that Californians enjoy an inalienable right to privacy, CaCPA enshrines many of the same rights that GDPR does for those in the EU. These include a right to be informed; to block the sale of personal information; to access, rectify and request erasure of personal information; and a right to exercise these privileges without prejudice.

If history is a guide, the state will take an aggressive stance on enforcement after the law’s January 1, 2020 effective date.

Though CaCPA covers the activities of a significant number of organizations across the US, some businesses can count themselves out of the statute’s scope. To do this, business leaders should conduct a scoping test based on the carve-outs defined in CaCPA. Here is a helpful decision-flow chart for this purpose.

In plain language, the decision flow above points to businesses that collect, process, use, share, and retain personal information about California consumers. To fall within scope, the business must meet certain thresholds for annual revenue and the breadth of processing of personal information. If the answer to one of the three questions below are “yes,” organizational leaders may assume that the business is in scope of CaCPA.

  • Do we have annual gross revenues in excess of $25 million dollars?
  • Do we alone or in combination, annually buy or receive, for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
  • Do we derive ≥50% of our annual revenues from selling consumers’ personal information?

With an affirmative answer to the decision flow above, business leaders should begin reviewing their business processes to ensure compliance with CaCPA on or before the effective date. As the date draws near, expect to find numerous articles and resources for deciphering CaCPA and implementing its requirements. For business leaders seeking an early edge on the competition, hire an outside expert who can help efficiently operationalize a CaCPA-compliant data privacy program.

Adam Stone is Principal Consultant and Chief Privacy Officer for Minneapolis,MN based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.

25 Jul 2018

Uncertainty of Privacy Shield

July 24th, 2018
By Adam Stone, Principal and Chief Privacy Officer

While many in the United States were recovering from summer vacations and fireworks displays, the European Parliament passed a non-binding resolution that could lead to the suspension of the EU-U.S. Privacy Shield Framework. For the 3000+ organizations participating in Privacy Shield, this resolution may have a profound impact on the way firms conduct business in the EU. If the Europeans follow through on their threat to suspend Privacy Shield after the first of September 2018, participants may need to scramble for an alternative mechanism for lawful transfers of personal data from the EU, lest they run afoul of the General Data Protection Regulation (GDPR).

Such uncertainty can’t be good for business. The US enjoys a top ranking among the EU’s trading partners with $1.1 trillion in annual bilateral trade. The threat of suspending or invalidating Privacy Shield creates fresh anxiety for senior executives whose firms rely on the digital and global economy to prosper.

Disappointingly, companies interested in learning about Privacy Shield will find, on privacyshield.gov site, no mention of the dispute or its potential ramifications for participants. The relative lack of interest in this topic means that fewer news outlets will pick it up. This summer’s Privacy Shield developments have also been drowned out by the passing of the California Consumer Privacy Act of 2018.

Thus far, it seems that the only public statement coming from the Department of Commerce (Privacy Shield’s oversight body) is a July 17 meeting recap claiming a “productive discussion” between the European Parliament’s LIBE Committee and senior US officials from the National Economic Council, the Departments of Justice, Commerce and State, and the Office of the Director of National Intelligence. The released statement includes a document blandly summarizing US responses to many of the EU’s long list of grievances. What the press release lacked was a clear signal about next steps. Instead, we must wait to see what comes of these negotiations in coming weeks.

The ongoing tariff dispute between the US and EU degrades public confidence in the future of the Privacy Shield program. The current “misunderstanding” between the parties may lead to a protracted argument. Like the Safe Harbor program before it, the EU may choose to invalidate Privacy Shield’s “adequacy” status under GDPR Article 45. The result of such a decision would mean that the sides must regroup and come to consensus on a new data protection accord. Just as privacy practitioners experienced a few years ago, the lengthy limbo period between old and new will lead to much frustration among business leaders.

Some argue that the EU’s recent threat is a strictly punitive measure in the face of a zero-sum game. Others note that Europe’s concerns stem from a view that the Privacy Shield program – like its predecessor – does not deliver on promises to enforce data privacy practices among participants. These issues magnify the culture clash that emerges from different histories and sociopolitical perspectives on national security, foreign intelligence gathering post-9/11, and the role of privacy as a fundamental right.

If the Privacy Shield is Suspended, What Options Remain for US Companies?

From a legal perspective, GDPR Articles 46 and 49 offer several alternatives for lawful transfers of personal data from the EU to US. These alternatives may lead to new operational challenges for privacy leaders. Add to this the hassle of dismantling a Privacy Shield-focused compliance program and starting anew (this activity is almost always an unbudgeted expense). Regardless, organizations may need to pivot to one or more of the following mechanisms:

  • Explicit Consent: Improves awareness through greater transparency; May not be appropriate for every type of business transaction.
  • Binding Corporate Rules (BCRs): Complex and expensive; Appropriate for the largest multi-national companies.
  • Standard Data Protection Clauses: Requires contract negotiations with each trading partner; Adds to firms’ contract management challenges.
  • Participation in an approved industry Code of Conduct: Limited to certain industries, such as pharmaceuticals, digital advertising and marketing.
  • Demonstrated compliance with an approved Certification program: Also limited; with uncertainty about which certifications meet EU standards for data protection.
  • Derogations (Exemptions) for Specific Situations: Promising alternative for some companies; Requires documented review and business justification.

Which option above is best for your organization? Privacy experts will probably respond with a lawyerly “it depends.” It depends on myriad factors unique to each business function and process. It depends on an understanding of risk appetite balanced with organizational values and goals. In short, the suspension of Privacy Shield may require some to go back to the drawing board to develop new data protection solutions to meet the challenge of transatlantic data flows.

Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.

22 May 2018

GDPR Deadline Looming

Does the GDPR "due date" remind us of Y2K? What will really happen on May 25th? No one really knows for sure the answer to this question but likely there will be a lot of work to continue to do in the months (and perhaps years) to follow May 25th, 2018.

Just for fun here is a timer you can refer to for the GDPR deadline.

GDPR Top Ten Disciplines for EU Data

#1 Data Portability
#2 Accountability Principle
#3 Extraterritorial applicability of the GDPR
#4 Maintaining records of processing activities
#5 New Data Subject Rights
#6 Privacy by Design and by default
#7 Data Protection Authority enforcement methods
#8 Pseudonymization and its use in profiling
#9 Security and breach notification
#10 One stop shop

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our privacy services page for more information.

16 Jan 2018

The Great GDPR Compliance Panic of 2018

January 16th, 2018
Adam Stone, Principal Consultant

Are you falling into the rut known as the great GDPR compliance panic of 2018? Stop worrying. Many data security and privacy leaders have successfully addressed the challenges of new regulatory compliance obligations before.

Several years ago, I entered the data security and privacy world just as new business challenges emerged from two separate congressional reform bills intended to solve certain problems in the US healthcare and financial services sectors. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), followed by the Gramm-Leach-Bliley Act of 1999 (GLBA), triggered federal regulation focused on – among many other areas – data privacy and security. At the time, organizations of all sizes struggled to prepare for the new federal requirements.

The first hurdle for some organizations was to simply acknowledge the fact that HIPAA and GLBA applied to their operations. For those who moved past the acknowledgement phase, preparatory scope creeped, and unplanned business disruptions followed. In an environment where executives were unclear about the applicability and impact of HIPAA and GLBA regulations, data security and privacy professionals found little support to implement new controls structures. The result: compliance programs poorly-aligned to corporate mission, values and objectives.

Though data security and privacy professionals emerged wiser from the HIPAA/GLBA compliance experience of the early aughts, evidence suggests that many firms now struggle with the emerging challenges of the EU General Data Protection Regulation (GDPR). As principal consultant with Secure Digital Solutions (SDS), I hear from lots of panicked leaders who need help understanding the impact of GDPR ahead of its May 2018 effective date. We find that firms can avoid some of the setbacks of the past by adopting an effective, scalable process for GDPR compliance preparations today. Whether preparing for GDPR with in-house resources or hiring an experienced consultant, firms should adopt a GDPR Readiness process like the one in the image below.

This is an image of a simple process to help organizations prepare for the General Data Protection Regulation (GDPR) compliance requirements.
Preparing for GDPR: Process Steps

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our Web site for more information.

12 Jul 2017

Security Leader’s Primer to GDPR

Understanding GDPR: The Security Leader’s (Really Concise) Primer

July 11th, 2017
Adam Stone, Chief Privacy Officer and Principal

 

As the effective date for the GDPR nears, the team at Secure Digital Solutions (SDS) are experiencing a significant uptick in calls from information security leaders seeking guidance about this new regulation. Though there’s much to discuss when it comes to GDPR compliance, we would like to provide a short primer to answer some of your most basic questions.

 

 

1. What is GDPR?

The GDPR (General Data Protection Regulation) is a regulation enacted by the European Union (EU) in 2016. This new rule serves many purposes, though in short, GDPR:

  • Repeals the 1995 Data Protection Directive, and addresses certain hurdles impeding economic growth for the EU by harmonizing and simplifying compliance and enforcement across EU member countries;
  • Focuses on balancing fundamental human rights and freedoms with the EU’s Digital Single Market strategy;
  • Strengthens protections for individuals via enhanced requirements for data privacy risk assessments, notice, choice, consent, data portability, right-to-be-forgotten and breach notification, among others;
  • Adapts to technological developments that emerged in years past the enactment of the Data Protection Directive;
  • Clarifies obligations for both data controllers and data processors; and
  • Enacts a new penalty structure that includes administrative fines of up to 4% worldwide revenue for certain violators.

2. Why is everyone talking about GDPR now?

The effective date for GDPR is 25 May 2018, less than a year away. Many organizations recognize that implementation activities must begin today to be compliance with GDPR mandates.

3. Isn’t GDPR a legal thing? Why can’t the lawyers handle this?

Legal professionals play a critical role by helping interpret GDPR compliance obligations, establishing policy and defending our organizations in the event of GDPR-related enforcement actions. Attorneys may not however, be called upon to assist organizations with the implementation of controls and processes in support of GDPR compliance. Many key functions have a role to play in deploying GDPR controls and processes, including of course, information security.

4. Who typically leads GDPR readiness efforts?

For organizations that have a Data Privacy Officer (DPO) in place, this person will often be tapped to lead GDPR readiness efforts. Otherwise, organizations choose a leader that reflects the culture of the organization. Firms that view GDPR as chiefly a legal liability are likely to appoint General Counsel or the Chief Compliance Officer (CCO) to lead GDPR implementation efforts. For those who see GDPR as material factor in marketing and sales initiatives, the Chief Operating Officer (COO) or Chief Marketing Officer (CMO) will lead. Some firms see GDPR as an issue closely aligned to IT, and thus will appoint the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to lead readiness efforts. Since GDPR crosses many organizational functions, whoever leads GDPR readiness efforts must have the authority to affect change throughout the firm.

5. Does GDPR define specific things that security leaders need to do?

Like most laws and regulations, the GDPR does not go into many specifics about the types of information security solutions required for compliance. Luckily for organizations with a security leader in place, there is a strong possibility that the firm already has many of the basic information security controls requirements in place. In these scenarios, security leaders should, at a minimum, conduct a gap assessment to ensure that existing controls meet GDPR standards.

It may be helpful to parse the sections of GDPR into logical chunks to identify potential areas where information security is involved. For the benefit of our readers, we provide a worksheet to get you started.

6. Where should I start in my GDPR preparations?

First and foremost, organizations should seek an understanding of whether GDPR applies to their business operations. For most, this is when a lawyer comes in handy. S/he can provide the legal advice needed to decide whether to move forward on GDPR readiness.

Assuming that GDPR does apply, we suggest that organizations begin by identifying the scope of GDPR within their operations. Doing so should minimize the disruptions created when implementing new controls and processes. Part of this scoping work includes identification of the personal data and sensitive personal data that fall into regulatory purview. Following this stage, the firm should conduct a comprehensive gap or risk assessment, aligned with the requirements of GDPR. Only after completing these first two stages should an organization develop a strategy for addressing potential gaps in GDPR compliance.

SDS’ experienced professionals stand ready to assist your organization as you prepare for GDPR. Choosing a knowledgeable advisor will help ensure that your efforts have maximum impact, even limited budgets and resources. Contact Secure Digital Solutions today to learn more!

16 Jan 2017

Preparing for GDPR: Practical Guidance

Save the Date! Preparing for GDPR: Practical Guidance for Getting Started

Webinar: February 28th, 2017 10:30-11:15 a.m. CST

gdpr

images-2

If your firm provides products or services to residents of the European Union (EU), you are probably aware of the emerging operational challenges presented by the recently-enacted General Data Protection Regulation (GDPR) and its transatlantic reach to US-based organizations. With a looming compliance date set for May 25th, 2018, companies large and small are scrambling to address new compliance obligations.

For many organizations, getting started on GDPR compliance is the challenge of the moment. What sort of strategy is required to review and update operations against new data protection compliance obligations? How can time-constrained data privacy and security leaders secure the funding and support needed to meet the 2018 deadline?

Adam Stone of Secure Digital Solutions, LLC (SDS) is pleased to present the webinar Preparing for GDPR: Practical Guidance for Getting Started on February 28th, 2017 at 10:30 a.m. CST.

This webinar will help participants:

  • Understand preparation basics for GDPR compliance
  • Develop a plan for preparing and implementing GDPR controls
  • Identify available resources for GDPR preparation and implementation

Space is limited, so REGISTER NOW for this free 45-minute informational webinar. We look forward to your participation!

18 Jul 2016

Steps to Take Following Approval of EU Privacy Shield

Adam Stone, Privacy Officer
July 17th, 2016

 

Image Courtesy US Department of Commerce
Image Courtesy US Department of Commerce

After political wrangling and delays, the US Department of Commerce announced the adoption the EU-US Privacy Shield framework on July 12, 2016. For data privacy professionals serving organizations that conduct business in the European Economic Area (EEA), this announcement is an important one. The Safe Harbor inadequacy decision handed down by the European Court of Justice in late 2015 sent many US organizations – reliant on the venerable Safe Harbor self-certification program to attest adequate protections for cross-border data flows – into a mild panic. Privacy leaders were left with few attractive options to fill the vacuum left by the inadequacy decision.

Now that the Privacy Shield program is active, many are eager to assess their privacy programs in preparation for the August 1 registration opening. Though the process for Privacy Shield self-certification is similar to Safe Harbor, registrants will find a more robust set of requirements to meet based on a slightly revised set of guiding principles:

Privacy Shield (New Framework) Safe Harbor (Old Framework)
Notice Notice
Choice Choice
Accountability for Onward Transfer Onward Transfer
Security Security
Data Integrity and Purpose Limitation Data Integrity
Access Access
Recourse, Enforcement and Liability Enforcement

How can Secure Digital Solutions (SDS) help you?

Organizations planning to self-certify to the Privacy Shield framework (and take advantage of the grace period for early registrants) can benefit from an objective, third-party review of their data privacy programs. Secure Digital Solutions offers seasoned, IAPP-certified privacy professionals ready to provide effective and cost-efficient program assessments. SDS’ professionals guide privacy leaders with the data needed to make strategic decisions and operationalize privacy controls and processes.

Short on in-house data privacy experts? Contact SDS today to learn about our CPO-for-hire program. We provide executive-level data privacy resources at a fraction of the cost of retaining a large consulting or law firm.

24 Jan 2015

Privacy as Process Improvement

What, Why, and Who: The Essential Questions

By Patrick Midden, CIPP, CHPC, J.D.

Some companies see complying with privacy requirements as a roadblock; a hindrance; a problem to avoid. They think privacy regulations are too onerous, or too complex, or do not apply to them. These companies sometimes take a “stick your head in the sand” approach to privacy and hope everything just works out. But successful companies are learning that a privacy program doesn’t have to be a burden; implemented effectively, a privacy program not only reduces company risk, but it can help drive process improvements.

Most privacy regulations and frameworks provide ample room for interpretation as to how to implement an effective program.   Most of them, though, require at least asking some basic questions, including:

  • Why are you collecting and using personal information?
  • Do you need all of it?
  • Who should have access to it?

An effective privacy program will answer these questions and more. Answering these questions can help uncover inefficient processes. An effective program might uncover inefficiencies, such as:

  • Employees accessing sensitive information that is not needed to do their jobs.
  • Employees redundantly storing information in multiple systems without appropriate controls.
  • Employees manually updating information across multiple systems.

But how can a privacy program help improve these processes? Collecting less data means your employees will spend less time processing it. Giving employees access to the right data at the right time means they will spend less time looking for it. Storing less data requires less disk space, less archive space, and less processing time.

In addition, many employees do not take the time to understand what they are doing; instead, they just do what they were told to do by the last person to do their job. New requirements are layered on top of the old process without analysis, making the process more complicated and difficult to follow. Reviewing your procedures for privacy risks will help these employees understand what information is important, and what information is not. This review can lead to streamlining processes, cutting out steps that are no longer relevant, and optimizing the remaining steps.

Some examples of how a privacy program review could help include:

  1. An employee at Company A makes a daily back-up copy of sensitive data outside of the official back- up processes. No employee at Company A ever looks at these old files, nor needs them. This process is inefficient because Company A is paying the employee to spend time performing a function that is already controlled through a central process. The process is also inefficient because the employee is wasting company resources by redundantly storing data.
  2. Company B always includes a social security number on each customer record, even ancillary systems in which social security numbers are not relevant. Company B encrypts records containing a social security number. By removing social security numbers—and other sensitive data—from ancillary systems, such as customer satisfaction tracking systems, Company B can stop encrypting these databases, saving Company B time and money.
  3. Company C uses an inventory system that lists every patient who is waiting for medical supplies. Employees responsible for ordering these supplies can only determine what to order by logging into the primary care system and retrieving the appropriate patient records. By creating a daily report that lists all devices that need to be ordered, but not listing any patient information, the inventory staff can do their jobs more quickly, without accessing any patient information.

These are just some examples illustrating how integrating privacy program objectives into daily procedures can reduce the amount you need to spend on (1) data storage, (2) data processing, and (3) security. A thorough privacy review can even reduce the amount of time your employees spend performing their everyday tasks by helping streamline processes.

If you are interested in learning more please reach out to us at SDS.

24 Jan 2015

Observing 2015 Data Privacy Day

Practical Steps to Protect Your Privacy

By Adam Stone, SDS Privacy Practice Lead

January 28th marks International Data Privacy Day!  As such Secure Digital Solutions has provided the following as both educational and slightly entertaining content to assist in the general education of privacy awareness for data privacy day 2015.

DataPrivacyDayFor those not aware, January 28 is Data Privacy Day every year and 2015 is no exception. This occasion provides an opportunity for privacy nerds (like this writer) and regular folks alike to reflect on the changing face of personal privacy in our connected world. Rest assured dear reader, we will neither pontificate nor prognosticate on the legal and societal questions relating to the tradeoffs between convenience and personal space. We shall avoid thorny political subjects about civil liberties and national security. The fact is: In the virtual world, we must manage our privacy in ways similar to those in the real world; for we are the rulers and groundskeepers of our Islands of Privacy.

What can you do to manage your privacy and data security? Resources abound for those who are willing to search. In celebration of Data Privacy Day, the following list highlights some (certainly not all) of our favorites: