Privacy Policies and GDPR

Since GDPR has become enforceable, the impact of the law on privacy policies has been quite noticeable. Did you receive an influx of emails from your favorite companies notifying you of updates to their privacy policies? In an effort to create GDPR-compliant privacy policies, many organizations rushed to meet the May 25th, 2018 enforcement deadline. But what are some of the mistakes these companies are making while trying to comply with GDPR? In this webinar, you’ll learn how privacy policies have evolved from pre-GDPR to post-GDPR, examples of what to do and what not to do when developing your external and internal privacy policies, and resources that you can utilize to ensure that your privacy policies are GDPR compliant.

How Does GDPR Impact External Privacy Policies?

The primary intent of GDPR is to ensure that privacy policies are concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect.

So, what should your organization be doing to avoid these pitfalls? Focus on readability. It is paramount that your consumers actually able comprehend your privacy policy. If your privacy policy is filled with legalese, is too long, is combined with contracts, or doesn’t reference any conditional terms, you are doing not only a disservice to EU data subjects by failing to comply with GDPR, but you are putting your organization at risk to be hit with the steep fines and penalties for non-compliance.

How Does GDPR Impact Internal Privacy Policies?

Different from the policies that consumers will read, internal privacy policies should be established to inform all employees on how they should interact with personal data. Internal privacy policies are just as important as external privacy policies and should include the following to be GDPR compliant:

  • Data minimization
  • Purpose limitation
  • Confidentiality/Non-disclosure agreements
  • Data Protection Impact Assessment
  • Coordination with designated representatives
  • Records of processing
  • Data subject rights
  • Processor management
  • Training
  • Privacy by default and by design

To learn more about the impact GDPR has on privacy policies, download the full webinar. If you’re in the process of developing your organization’s privacy policy, let us help! Use our free GDPR Privacy Policy Checklist or contact us today to speak to a GDPR expert.

NY CRR 500 and Vendor Compliance

NY CRR 500 and Vendor ComplianceIn March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.

Information technology systems today are extremely interconnected, but this comes with a price. Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. This regulation was developed after the monitoring of cybersecurity threats to information and financial systems and the realization that the threats are keeping pace with advances in technology. The threats are complex, mature, and widespread. If your organization is a financial services company in the state of New York, implementing NY CRR 500 is a must-do for your organization.

A key component of complying with NY CRR 500 is managing your vendors’ compliance and cybersecurity efforts. Vendors hold so much of your security in their hands; we’ve learned this time and time again in the headlines. The regulation defines a vendor or third-party service provider as a person or entity that is not an affiliate of the covered entity but provides services to them and maintains, processes, or has privileged access to nonpublic information. Vendors that have access to nonpublic information must be held accountable to the cybersecurity requirements that the covered entity decides upon. NY CRR 500 requires two elements for effective vendor compliance management: a cybersecurity policy and a third-party service provider security policy.

Cybersecurity Policy

As a regulation focused on cybersecurity, NY CRR Section 500.03 requires covered entities to create and maintain a cybersecurity policy based on the findings from a risk assessment. This risk assessment is an integral part to NY CRR 500, but especially in terms of vendor compliance. Through a formal risk assessment, your organization can determine what types of risks a vendor presents and how dangerous those risks are. Among other elements like business continuity, asset inventory, and physical security, this cybersecurity policy must include information on vendor and third-party service provider management.

We believe that the vendor compliance aspect of your cybersecurity policy should align with the CIS Controls™. These 20 controls range from basic to foundational to organizational, but they will help your organization create a cybersecurity policy that is intentional and prioritized in order to protect your organization from cyber threats. Incorporating the CIS Controls™ into your cybersecurity policy is the perfect starting point to execute a policy that maps to NY CRR 500.

Third-Party Service Provider Security Policy

Policies and procedures are a core element of any organization. Without them, how can you implement secure and correct processes? NY CRR 500 requires that covered entities develop and implement a third-party service provider security policy, which should include the following elements:

  • Identification of vendors
  • Risk assessment of vendors
  • The minimum cybersecurity requirements to be met by vendors in order to do business together
  • The due diligence process used to evaluate the competency of cybersecurity practices of vendors
  • Periodic assessment of vendors based on the risk they present
  • Periodic assessment of vendors to ensure the continued competency of their cybersecurity practices
  • Access control management, including use of MFA
  • Use of encryption for information in transit and at rest
  • Incident response procedures, including notification to the covered entity of any cybersecurity event

If you’ve already implemented a cybersecurity risk management program or are beginning to create one at your organization, you’ve probably realized that there’s no widely-accepted approach for cybersecurity assessments. NY CRR 500 could function alongside other helpful cybersecurity-related frameworks, such as SOC for Cybersecurity, ISO 27001, or the NIST Cybersecurity Framework.

As stipulated by Section 500.22 of NY CRR 500, all covered entities must have a vendor compliance management program in place by March 1st, 2019. If you need help creating this program or have other questions pertaining to this law, contact us today.

Independent Audit Verifies Transact24’s Internal Controls and Processes

Delaware, USA – Transact24 LLC, a third-party payment service provider, today announced that it has completed its SOC 1 Type II audit. This attestation verifies that Transact24 LLC has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Transact24 LLC’s controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes Transact24 LLC’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

“Transact24 Group is committed to providing efficient payment solutions and is currently pursuing various key projects and strategies internationally. Completing the SSAE 18 (SOC 1) Type II Audit for Transact24LLC is part of the necessary regulatory framework required to pursue the product and geographic opportunities identified by Transact24,” said Philip Meyer, Managing Director of Transact24 Limited.

“Many of Transact24LLC’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, Transact24 LLC has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Transact24 LLC.”

About Transact24

Transact24 (T24) is a Hong Kong-based Payment Services Company, established in 2006, with offices and/or satellite entities in Australia, Singapore, China, Mauritius, South Africa, Austria, Gibraltar, the USA and the UK. Transact24 is licensed in the following territories: T24 (Mauritius) Ltd. has a Payment Intermediary Services Licences from the Financial Services Commission Mauritius and T24 (UK) Ltd. has an Authorized Electronic Money Institution (“AEMI”) licenses from the Financial Conduct Authority of the United Kingdom.

Transact24’s payment services products include Chinese Debit Card and Credit Card Acquiring; ACH processing; and Prepaid Card Program Management. T24 owns the IP for all its processing technologies and all its systems are PCI DSS Level 1 compliant.

T24 is part of the Net1 Group of companies. Net1 (www.Net1.com) has a primary listing on the NASDAQ and a secondary listing on the Johannesburg Stock Exchange.

Vendor Compliance

Most organizations utilize third-party vendors to assist them in fulfilling their business needs because they just can’t do it all themselves. These vendors play a critical role in allowing organizations to sustain their business, but they can also be a liability for a company. Why? Because if a third-party vendor isn’t properly vetted, they can pose a major risk to an organization.

Let’s say that your organization is a medical research lab. You’ve entered into a contract with a cloud service provider (CSP) to store the sensitive data that you’ve collected. The CSP was one of the first that you found during your research and you did not properly vet their security posture. After a few months of using the service, it’s discovered that someone with unauthorized access had access your sensitive data for weeks. You realize that the CSP did not use a proper logging management process that requires approval and logs for all changes to client data, and now years of ground-breaking research has been stolen.

If you’re a healthcare company, consider the sensitivity of the data that you handle and how your vendors could impact the security of that data. Let’s say you use a printing and mailing vendor who unintentionally revealed the HIV status of hundreds of recipients through a large windowed envelope. You receive complaint after complaint from recipients whose lives have now been changed by your vendor’s mistake.

Does your organization’s website have a customer service chatbot feature? Consider the consequences of a breach of this nature. If a hacker was to infiltrate your chatbot feature, they could obtain whatever information a user enters – name, phone number, email, location. How would you explain this security incident to your users?

Could these scenarios have been avoided? Absolutely. Let’s discuss what to look for in a quality vendor, no matter what industry you’re in.

What Makes a Quality Vendor?

When KirkpatrickPrice Information Security Specialists conduct an audit of a third-party or vendor, they are assessing and reporting on various controls that a quality vendor should have in place. Ensuring that your vendor has these controls implemented is crucial for strengthening your own security posture and protecting your consumers’ information. The following can act as a guideline of such controls as you work to determine if you’re working with a quality third-party vendor.

Physical Controls:

  • Does the vendor have a formal Physical Security Policy?
  • Does the vendor have requirements in place for visitors who enter sensitive facilities? Are visitors required to sign in? Do they need an ID? Are they being escorted? Is their information being logged?
  • Does the vendor use security measures (security guards, electronic/biometric access devices, etc.) to protect the facilities where sensitive data is stored, processed, or used?
  • Does the vendor have a monitored security alarm and a smoke/fire alarm system in place?
  • Does the vendor use a CCTV to monitor access to sensitive areas?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Organizational Controls:

  • Does the vendor have a risk assessment program?
  • Does the vendor have information security policies and procedures in place?
  • Does the vendor have incident response and business continuity plans?
  • Does the vendor retain regular audit reports from their service providers?
  • Does the vendor’s management monitor quality control, error-audit logs, and incident reporting?
  • Does the vendor own or lease the facility where they are storing or processing sensitive data?

Data Controls:

  • Does the vendor have an asset management program?
  • Does the vendor run backups regularly?
  • Does the vendor store backups separately from the system?
  • Does the vendor encrypt confidential data?
  • Does the vendor have a formal Access Control Policy?

Personnel Controls:

  • Does the vendor require newly hired employees to sign a Code of Ethics?
  • Does the vendor perform background screening of applicants?
  • Does the vendor offer information security awareness training to its employees?
  • Does the vendor have a formal Asset Return Policy?
  • Does the vendor conduct regular performance review?
  • Does the vendor maintain formal hiring and termination policies and procedures for both employees and contractors?

Network Controls:

  • Does the vendor have a formal change control/change management process?
  • Does the vendor have logging systems in place?
  • Does the vendor have network and server devices that are built according to a standard configuration process?
  • Does the vendor use encryption for all confidential data?
  • Does the vendor have a formal Wireless Network and Remote Access Policy?

As businesses increasingly look to outsource various components of their organization, ensuring that their strong security posture remains intact is crucial. By properly vetting a third-party vendor, an organization is much more likely to mitigate risk and prevent costly breaches from occurring.

Not sure if your third-party vendors are meeting these expectations? Let us help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you determine if you’re working with a quality vendor.

Are Your Vendors Data Processors?

Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.

As a controller, you determine the purpose and means for processing personal data. You have authority and decision-making over personal data and take on the responsibilities of a controller as outlined in the law. Any of your vendors that process personal data of EU data subjects will be defined as “processors,” or the natural or legal person who processes personal data on your behalf. Processing is essentially anything done to personal data, including storing, archiving, transmitting, compiling, erasing or reviewing.

Determining which of your vendors process personal data under GDPR requires identifying which data elements from which data subjects are processed by each vendor – this is part of the process called “data mapping.”

Once you’ve determined which of your vendors must comply with GDPR, you must understand which GDPR requirements apply to processors. Articles 2-3, 5-23, 27-33, 37-39, and 44-49 all describe GDPR requirement specific to processors and must be followed in order to attain GDPR compliance.

One way to contextualize processor requirements is by understanding the required contract elements for controller-processor relationships.

Contractual Agreements That Are GDPR Compliant

Contractual agreements are a major aspect of vendor compliance management. Article 28 describes processor requirements, including the requirement to establish a contractual relationship between controllers and processors, and provides details on what components must be included in contractual agreements.

The European Commission or Member State supervisory authorities may adopt standard contractual clauses for certain matters, but contractual agreements between controllers and their processor vendors must be in writing and stipulate the following:

  • The subject-matter, duration, nature, and purpose of the processing activities
  • The type of personal data included in processing activities
  • The categories of data subjects included in processing activities
  • The obligations and rights of the controller
  • The processor will only process personal data based on documented instructions from the controller
  • The processor ensures that persons authorized to process personal data have committed themselves to confidentiality
  • The processor takes all measures required for the security of processing (Article 32)
  • The processor respects the conditions for engaging another processor – specifically, prior notice to controllers and the opportunity for controllers to object
  • Taking into account the nature of the processing, the processor must assist the controller by implementing appropriate technical and organizational measures, as a part of the controller’s obligation to data subjects’ rights
  • The processor assists the controller in ensuring compliance with the obligations of Articles 32-36, which includes security of processing, data breach notification to supervisory authorities and data subjects, and data protection impact assessments
  • At the choice of the controller, the processor must delete or return all personal data to the controller after the end of the completion of services relating to processing, and deletes existing copies unless EU or Member State law requires the storage of the personal data
  • The processor makes all necessary compliance information available to the controller
  • The processor will allow for and contribute to audits conducted by the controller

If you’re reading this and thinking, “I’m a processor. What should I do to show I’m a GDPR compliant vendor?” then you should go through the list of items required in each contract between controllers and processors to identify whether you can comply with each of the requirements.

By using the contractual requirements as a guideline for GDPR compliance, not only will you reduce your risk of regulatory fines, you will also gain a competitive advantage by proactively pursuing GDPR compliance. By demonstrating that you meet the needs of GDPR compliant contractual agreements, you can provide controllers with the assurance they need.

If you are a controller, there are at least two questions to ask and answer for processor oversight:

  1. Have you updated your contracts ensure that each agreement contains all of the GDPR required elements?
  2. Are you following vendor compliance management best practices to ensure that processors are fulfilling their contractual and regulatory obligations?

For more information on GDPR compliance and vendor compliance management, contact us today.

More GDPR Resources

Are You Controller or Processor?

Whose Data is Covered by GDPR?

The Cost of GDPR Non-Compliance: Fines and Penalties

Vendor Compliance Resources