The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone.
What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.
The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.
The first step towards GDPR compliance is determining your organization’s data role – are you a data controller or a data processor? Determining your role under GDPR can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow.
If 2018 was the year spent anticipating the GDPR enforcement deadline, 2019 will be the year US states begin enforcing their own data privacy laws. While the California Consumer Protection Act (CCPA) isn’t the first US data privacy law to go into effect, it has certainly gained more attention than others. This could largely be in part because of its similarities to GDPR, but it could also be because it’s the strictest US data privacy law of our time.
The most common questions we’re hearing related to GDPR have to do with roles – what role does my organization play? Are we a data controller or data processor? Joint controller? Controller-processor? Where should we start in our journey towards GDPR compliance? This can be a confusing aspect of compliance, but GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you.
Although the EU’s General Data Protection Regulation (GDPR) enforcement deadline has passed, many non-EU organizations are still questioning what they need to do to ensure compliance. Do they need a designated representative? Where does their designated representative need to be located? Is a designated representative the same thing as a Data Protection Officer? Who do they need to notify that they have a designated representative? How do they do this?
In this webinar, learn as KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, and the Founder and Chair of the Board of EDPO, Jane Murphy, answer these questions and more.
Because of the complexity and ambiguity of GDPR, it’s difficult for organizations to determine which requirements are absolute and which are conditional. These requirements can have a significant impact on budget, leadership, policies, and the project plan for compliance. In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, leads a discussion on mandatory versus conditional requirements, provides in-depth examples of conditional requirements, and explains the implications of treating conditional requirements as absolute.
Since GDPR went into effect on May 25, 2018, there’s been confusion on some parts of the law and clarity on others. Are you receiving updated Privacy Policies that mention data privacy? Are you still unsure how to properly collect data subjects’ consent? Have you seen organizations giving data subjects’ different options for giving their consent? In this webinar, Mark Hinely covers the confusing regarding consent, the regulatory developments since the GDPR enforcement date, and significant litigation to note.
Since GDPR has become enforceable, the impact of the law on privacy policies has been quite noticeable. Did you receive an influx of emails from your favorite companies notifying you of updates to their privacy policies? In an effort to create GDPR-compliant privacy policies, many organizations rushed to meet the May 25th, 2018 enforcement deadline. But what are some of the mistakes these companies are making while trying to comply with GDPR?
In this webinar, you’ll learn how privacy policies have evolved from pre-GDPR to post-GDPR, examples of what to do and what not to do when developing your external and internal privacy policies, and resources that you can utilize to ensure that your privacy policies are GDPR compliant.
The European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. GDPR is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The applicability of the law follows the data, rather than following a person or location. The scope is big and the sanctions are even bigger. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
The definition of a data subject under GDPR is one of the most confusing aspects of the law. There’s no formal definition, inconsistent terms within the law, no formal guidance from Article 29 Working Party, and the supervisory authority guidance is dated. So how do organizations determine who data subjects are?
Privacy and security are terms that are often believed to be synonymous, but they’re actually quite different. Understanding what that difference is plays a key role in ensuring that your organization maintains a strong security posture, while also performing your due diligence to protect your customers’ sensitive data. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the differences between privacy and security, why understanding the difference matters, and how knowing the difference could benefit your organization.
Much like the European Union’s General Data Protection Regulation of 2018, the California Consumer Protection Act is yet another data privacy legislation that organizations must prepare for as they reexamine the way they collect, use, store, transmit, and protect data. But here’s what companies who interact with California consumers and residents must understand: while they may comply with the various other data privacy laws already being enforced, that does not mean they comply with CCPA.
In fact, no matter how similar CCPA is with other data privacy laws – there are nuances between those laws to be accounted for. What does this mean for your organization? What do you really need to know about CCPA? Here are the five core components of the law.
Organizations are experiencing increasing commercial pressure from their business customers and individual consumers to provide timely, clear, and adequate breach notification. Now, organizations are facing increasing regulatory pressure to provide timely, clear, and adequate breach notification. One of the most recent regulatory changes apply to the Texas Identity Theft Enforcement and Protection Act (TITEPA). These changes create additional regulatory requirements and force businesses to disclose certain security breaches directly to the state which could lead to regulatory enforcement in response to the breaches.
The most frequently asked question I’ve received related to GDPR has to do with data processing roles: is my organization a data controller or data processor? Determining your organization’s data role can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow. The responsibilities of data controllers are different than responsibilities of data processors. As a result, organizations cannot know their GDPR compliance obligations until they determine whether GDPR defines them as a controller or processor.
As GDPR becomes a more and more prevalent data privacy law, we want to give organizations four actions to start with when working towards GDPR compliance. These areas should help organizations understand what kind of personal data of data subjects that they have, where it goes, and what role (data controller or data processor) they fit into under GDPR. I chose the areas of data mapping, contract management, documentation review, and security standards for a couple of reasons.
First, because they are the most pressing areas upon an organization in terms of GDPR compliance and second, because they are the most universally applicable. No matter what role organizations fit into under GDPR, these areas will be useful places to start with for GDPR compliance.
Today’s organizations rely on data to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal. With the growing amount of data collected by various organizations and industries, it’s no wonder why creating and enforcing a robust data retention policy is necessary.
However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what data they need to retain and for how long. Let’s take a look at some data retention best practices and how following them can help your organization establish and enforce more compliant and useful data retention policy suitable for your organization’s needs.
According to Pew Research Center, 64% of American adults have experienced data theft. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. With every new headline of a data breach, it seems like consumers are losing more control over what personal information is publicly available.
We examine the main differences between GDPR and CCPA privacy regulations and what you need to know for your business.
It’s no secret that digital marketing is undergoing a major transformation – one that is centered on giving consumers more autonomy over the way their personal information is collected, used, stored, sold, and transmitted. Last year, we saw how the EU’s General Data Protection Regulation changed the international landscape of marketing, and 2020 will be the year the US really feels the brunt of the data privacy revolution, starting with the California Consumer Protection Act (CCPA). What are the implications of the latest data privacy law to go into effect? What does CCPA mean for marketing? How can marketers prepare? Let’s find out.
The California Consumer Privacy Act will go into effect on January 1, 2020, which gives organizations who have yet to start their compliance efforts less than three months to prepare for the enforcement of the new data privacy law. While ensuring compliance with a new legal requirement is never easy and is often stressful, we’ve come up with seven steps to follow that can act as a roadmap for CCPA compliance.
On October 10, 2019, the California Attorney General released the much-anticipated California Consumer Privacy Act (CCPA) proposed regulations – providing some clarity to the strict data privacy law. The proposed regulations were divided into four key areas: notices to consumers, consumer requests, verification requirements, and special considerations for minors. What do you need to know about these regulations? How will they impact your organization’s CCPA compliance efforts? Let’s discuss.
What does GDPR mean for marketing? We’re worried that not enough business leaders and marketers have heard of GDPR or have prepared for this radical privacy law because of a common misconception that GDPR is for lawyers and information security teams. But GPDR is more than a data privacy law: GDPR is a mandate that affects how organizations market, collect, use, and store consumers’ personal data, so GDPR compliance and awareness are just as important for the marketing departments as they are for IT departments. Has your business considered the GDPR implications for marketing?
There’s no doubt that the GDPR is reshaping the marketing industry, and yet many marketers remain unsure about what the law actually requires. The regulation is long, confusing, and in many areas, vague. Plus, there’s immediate tension between GDPR requirements and marketing principles. A marketer’s goal is to gain identification information, while GDPR’s goal is to limit identification information to what’s strictly necessary.
Let’s take a look at how Unbounce, the marketing industry’s leading landing page and conversion platform, made its journey toward GDPR compliance.
The California Consumer Privacy Act has been regarded as the United States’ strictest data privacy law of our time, and yet, many organizations still don’t know where to start with their compliance efforts. Does the law even apply to them? How can they ensure compliance? What are the steps they need to take? While no one journey toward CCPA compliance is the same, we’ve rounded up four data privacy best practices that you can follow to help with your CCPA compliance efforts. Let’s take a look at what those are.
The GDPR has quickly reshaped attitudes towards data privacy around the world and has given EU data subjects more autonomy over how their data is used than ever before. Personal data increasingly flows between organizations because most businesses partner outsource some aspect of their business functions, creating webs of responsibility and oversight. However, with many ambiguous requirements for data controllers, processors, and sub-processors, entities might still have questions about certain requirements under the law, such as what must be included in a data processing agreement. These data processing agreements (DPA) are critical to ensuring the privacy of data subjects’ personal data. Let’s review what a DPA is, what needs to be included in a DPA, and examples of DPA clauses.
It’s hard to keep track of the different privacy, breach notification, and data security laws that exist in each state – but that’s the job of a thorough, expert auditor. Because of technology advancements and the implementation of GDPR, the momentum to update, amend, and create new legislation is elevated right now. Our mission is to educate you on the latest trends, legislation, and threats so that you can meet the requirements ahead of you.
Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are: what is GDPR personal data and who is a GDPR data subject? If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies.
Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.
“Alexa, what’s the weather like in Nashville today?” Amazon’s Alexa, Apple’s Siri, the Google Assistant – the list of voice assistants and voice-enabled devices seems to just keep growing. “Hey Google, could you set an alarm for 8:00 AM tomorrow?” Their basic goal is to make our lives easier, right? Through voice assistants’ language processing abilities, they can complete all types of tasks – stream music, set an alarm, take notes, order products, smart home functionality, and integration with other applications.
Voice assistants and voice-enabled devices live in the bedrooms, kitchens, and living rooms of millions of users. Voice assistants and voice-enabled devices are simultaneously helpful and vulnerable; what threats do they pose to data privacy? How do companies protect the data that users give Alexa, Siri, and the Google Assistant?
On May 25, 2018, the GDPR went into effect, putting the world’s attention on data privacy. Since the enforcement deadline has passed, there have been questions about how to comply with the law, who must comply with the law, how the law will be enforced, and so much more. Now a full year later, let’s take a look at developments and predictions for GDPR throughout 2019 and beyond.
There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. It’s ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.
Part of the innovativeness of GDPR is, in order to work as it’s intended to, the law needs a collaboration of all participants. This includes data subjects, controllers and processors, data protection officers, supervisory authorities, the European Data Protection Board, and the European Commission. With so many players in the game and such a broad territorial reach, how do you know how they function together and who’s enforcing GDPR? Let’s start at the top.