What Does GDPR Mean for Marketing?

GDPR and Marketing: Why it Matters

Has your organization considered the GDPR implications for marketing? Because of the misconception that GDPR is solely for lawyers and information security teams, many organizations don’t realize how their marketing activities impact their GDPR compliance efforts. GDPR is more than a data privacy law. Instead, GDPR is a mandate that affects how organizations market, collect, use, and store consumers’ personal data, so GDPR compliance and awareness are just as important for the marketing departments as they are for IT departments.

However, because it’s been more than a year since the GDPR enforcement deadline, some might be wondering: why should we still care about GDPR implications for marketing? If organizations  started their GDPR compliance efforts more than a year ago, wouldn’t they have already considered how GDPR impacts marketing? While this line of thinking is common, here’s what organizations need to realize: whether or not your core services relate to marketing, you must understand the GDPR implications for marketing at your organization. Why? Because in the year since GDPR became enforceable, most data subject complaints relate to marketing. This means that if marketing is necessary to your organization and you market to data subjects, you must know the GDPR implications for your organization.

In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how to identify if GDPR applies to your marketing activities, the benefits of following privacy best practices, and what exactly those privacy best practices are that your marketing team should be following. By the end of the webinar, you’ll learn about these four key takeaways:

  1. Marketers need to identify a legal basis for their marketing activities.
  2. Marketers must review their privacy policies and ensure that they articulate what third parties are used during marketing activities, what personal information is used for marketing activities, and the legal basis for marketing activities.
  3. Marketers need to understand data subject rights, especially data subjects’ absolute right to object to direct marketing.
  4. Marketers must monitor member state publications to stay up to date on updates and enforcement actions.

Ready to watch the full webinar? Want to learn more about how your organization’s marketing activities can be GDPR-compliant? Contact us today.

Best Practices for Data Privacy

From GDPR, CCPA, PIPEDA, and so many other new data privacy laws going into effect, knowing which laws you need to comply with and how you should go about complying with them may seem like a daunting task. In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how organizations can perform their due diligence to ensure that they’re protecting their consumers’ privacy and will cover industry-accepted best practices that you can follow to lay the groundwork for future data privacy frameworks.

What are Best Practices for Data Privacy?

If your organization is questioning what best practices for data privacy you should follow, Mark Hinely provides four that can help you get started:

  1. Create an internal privacy framework
  2. Do more with less data
  3. Automate compliance efforts
  4. Get specific about your internal and external privacy posture

How Can You Establish an Effective Internal Privacy Framework?

An effective internal privacy framework is the foundation of your organization’s data privacy compliance efforts because it lays out what and how you’ll comply with the many privacy requirements applicable to your organization. Typically, when an organization creates an effective internal privacy framework, they’ll take the following into consideration:

  • Notices and disclosures
  • Access (Internal and External)
  • Breach notification
  • Consent
  • Risk
  • Designated responsibilities
  • Data retention
  • Vendor management

Like internal security programs established by organizations, however, there’s always sector- and organization-specific considerations that must be taken into account when creating an effective internal privacy framework. For industries such as healthcare, marketing, or education, there might need to be additional considerations regarding access to data or data retention. Organization-specific considerations, such as a debt collection agency, also needs to consider the types of data and processing they’ll use. Once these considerations have been made and the internal privacy framework has been designed, organizations need to document and implement it.

Overall, when you establish an effective internal privacy framework, you set your organization up for success when you’re faced with achieving multiple privacy considerations. If you want to learn more about industry-accepted best practices for data privacy and how they could benefit your business, watch the full webinar now. For more information on how KirkpatrickPrice can help you with your data privacy compliance efforts, contact us today.

Ethical Hacking: Lessons Learned from Education Systems

In today’s threat landscape, there’s no excuse for any industry to not be aware of the advancing cyber threats they’re faced with. For education institutions, this could be malware, ransomware, internal attacks, targeted attacks, and so much more. In this webinar, one of our expert penetration testers, Stuart Rorer, discusses why the education sector needs to be concerned about security risks, gives real-life examples from his experience as a systems administrator at a private school, and provides next steps your organization can take to ensure that you remain a secure and trusted education institution.

What Security Threats Do Education Institutions Face?

While some may view the education sector as less of a threat for a cyber attack, the reality is that the education sector is just as likely to experience a data breach or security incident as, let’s say, a financial institution or a healthcare organization. Think of the different types of sensitive assets the education sector uses on a daily basis: names, dates of birth, standardized testing scores, attendance and grade records, email addresses, phone numbers, Social Security numbers, and financial aid information. These types of sensitive assets are hot commodities for malicious hackers, and they’ll do anything they can to get their hands on them, regardless of whether you’re a public or private school or if you have hundreds or thousands of students. All education institutions are faced with the threat of experiencing a data breach or security incident because of the security difficulties they’re faced with such as open access infrastructure, loose security controls, ease of access, and external trusts.

Real-Life Examples: Security Threats to Education Institutions

Understanding the threats facing education institutions wouldn’t be possible if there weren’t real-life examples to learn from. In this webinar, Stuart Rorer covers four examples, including:

  1. Ransomware Attack: Not wanting to leave his laptop in his car, an accountant brought his work laptop into a coffee shop, logged into open network WiFi, and because he didn’t use a VPN or other secure way to access the internet, he inadvertently downloaded ransomware.
  2. Disgruntled Employee: A higher education institution experienced an internal attack from a disgruntled former employee. This employee accessed a file with salary information and threatened to release the information to one of the global addresses within the organization.
  3. K-12 Organization: A K-12 organization believed they had a persistent intruder who tried to access student information, tests, etc. Recognizing this, the organization began to change the admin password, but attacks kept occurring. While it was initially believed to be malware, but it turned out to be one of the senior students.
  4. Community College: A community college was having a lot of malware issues, and their IT administrators couldn’t figure out what was causing the problem. Their penetration tester realized that there was a wireless network that was named similarly to the college’s network, which allowed students, faculty, and staff of the college to input their passwords and other sensitive information when they connected to that network, making them easy targets for an attack.

Are you an education institution that needs to learn more about the security threats you’re facing? Want to learn more about how penetration testing can help keep the education sector secure? Watch the full webinar now.

Breach Notification: Who, When, Why

With GDPR, CCPA, PIPEDA, HIPAA, and the numerous other state-level data privacy laws going into effect, it is understandable why many organizations don’t know where to start with their breach notification processes. In fact, even if your organization is compliant with these laws and regulations, knowing what to do when a breach happens can be tricky. In this webinar, our Director of Regulatory Compliance, Mark Hinely, explains who needs to be notified of a breach, when they need to be notified, and why breach notification is important. Watch now to learn about the following key takeaways:

  • Why breach notification is unavoidable
  • How breach notification can be simplified
  • How breach notification can be good for brand management

The Importance of Understanding Breach Notification Requirements

Unfortunately, data beaches are an incredibly common experience. This is why understanding the who, when, and why of breach notification best practices is essential. The likelihood that your organization will experience a data breach is only a matter of when, not if, it’ll happen, so it’s critical that you’re prepared and have an effective, actionable process in place to know what to do when it happens.

High-Profile Breach Notification Laws vs. US Breach Notification Laws

High-profile breach notification laws, such as GDPR, CCPA, PIPEDA, and HIPAA, all have specific requirements for notifying the public of breaches, but many of their requirements are similar or even overlap. On the other hand, the US has more than 50 specific state breach notification laws, all of which are much different than the high-profile breach notification laws. For example, more states are moving towards specific notification timelines (i.e. Colorado gives 30 days and Arizona gives 45 days) compared to more generic timelines, like those of CCPA and PIPEDA. States are also requiring more data elements like resident names, biometric data, military information, and IP addresses during the breach notification process. Finally, many states are enforcing sector-specific notification requirements, such as New York who recently implemented NY CRR 500, which requires breach notification laws for the financial industry; South Carolina who has breach notification requirements for insurers; and Virginia who has breach notification requirements for tax preparers.

Ready to learn more about how your organization can improve your breach notification processes? Want to find out how breach notification can actually be good for business? Watch the full webinar now. To learn more about how KirkpatrickPrice can help you develop your breach notification process, contact us today.

More Breach Notification Resources

Rebuilding Trust After a Data Breach

7 Deadly Dada Breaches of 2018, So Far

Auditor Insights: Where to Start with GDPR Compliance

Horror Stories: Magecart’s Malicious Skimming Campaign

Canada’s New Breach Notification Law: Preparation and Impact

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

For additional information about the developments of breach notification laws, visit the National Conference of State Legislatures.

Internal Accountability: Monitoring Compliance

Ensuring that your organization is up-to-date on compliance requirements can be an overwhelming task, and many organizations don’t know where to begin. While many resources are about becoming compliant, they don’t explain why internal accountability is important or give you actionable steps to maintain compliance. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the next steps your organization can take after you’ve identified your compliance requirements and will provide you with general principles that apply to any privacy program to help you improve your internal accountability processes.

Getting Over the Burnout of Pursuing Compliance

Pursuing compliance is a tedious task – one that often leaves organizations feeling burned out and reluctant to continue monitoring compliance efforts. Organizations need to recognize that compliance should be a cycle rather than a linear function. Achieving compliance isn’t a one-and-done process; it’s something that must be continuously reviewed and monitored. Threats are constantly evolving and requirements are frequently updated. If your organization neglects to monitor your compliance efforts, you’ll put yourself at risk for incurring steep fines and penalties, damaging your reputation, and putting your business continuity at risk.

What are Actual Internal Accountability Activities?

Monitoring and auditing are two internal accountability activities that organizations should use ensure compliance. These activities should be scheduled based on threats and vulnerabilities, likelihood of exploitation, and/or significance of exploitation. Generally, monitoring is going to occur much more frequently because it requires far less time than auditing. Auditing, on the other hand, is generally less frequent because it covers a larger time period, it’s performed by staff outside of the processing activities, and it requires the time commitment of independent testing. To get the most out of these two internal accountability activities, organizations must also be sure to use proper documentation, effective reporting, and implement corrective actions.

All organizations are responsible for ensuring compliance. In fact, many new data privacy laws, such as GDPR, PIPEDA, and CCPA, require internal accountability. To learn more about the processes your organization should have in place to ensure that you’re properly monitoring your compliance efforts, download the full webinar. For more information on how KirkpatrickPrice can assist you with monitoring your compliance, contact us today.