Breach Notification: Who, When, Why

With GDPR, CCPA, PIPEDA, HIPAA, and the numerous other state-level data privacy laws going into effect, it is understandable why many organizations don’t know where to start with their breach notification processes. In fact, even if your organization is compliant with these laws and regulations, knowing what to do when a breach happens can be tricky. In this webinar, our Director of Regulatory Compliance, Mark Hinely, explains who needs to be notified of a breach, when they need to be notified, and why breach notification is important. Watch now to learn about the following key takeaways:

  • Why breach notification is unavoidable
  • How breach notification can be simplified
  • How breach notification can be good for brand management

The Importance of Understanding Breach Notification Requirements

Unfortunately, data beaches are an incredibly common experience. This is why understanding the who, when, and why of breach notification best practices is essential. The likelihood that your organization will experience a data breach is only a matter of when, not if, it’ll happen, so it’s critical that you’re prepared and have an effective, actionable process in place to know what to do when it happens.

High-Profile Breach Notification Laws vs. US Breach Notification Laws

High-profile breach notification laws, such as GDPR, CCPA, PIPEDA, and HIPAA, all have specific requirements for notifying the public of breaches, but many of their requirements are similar or even overlap. On the other hand, the US has more than 50 specific state breach notification laws, all of which are much different than the high-profile breach notification laws. For example, more states are moving towards specific notification timelines (i.e. Colorado gives 30 days and Arizona gives 45 days) compared to more generic timelines, like those of CCPA and PIPEDA. States are also requiring more data elements like resident names, biometric data, military information, and IP addresses during the breach notification process. Finally, many states are enforcing sector-specific notification requirements, such as New York who recently implemented NY CRR 500, which requires breach notification laws for the financial industry; South Carolina who has breach notification requirements for insurers; and Virginia who has breach notification requirements for tax preparers.

Ready to learn more about how your organization can improve your breach notification processes? Want to find out how breach notification can actually be good for business? Watch the full webinar now. To learn more about how KirkpatrickPrice can help you develop your breach notification process, contact us today.

More Breach Notification Resources

Rebuilding Trust After a Data Breach

7 Deadly Dada Breaches of 2018, So Far

Auditor Insights: Where to Start with GDPR Compliance

Horror Stories: Magecart’s Malicious Skimming Campaign

Canada’s New Breach Notification Law: Preparation and Impact

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

For additional information about the developments of breach notification laws, visit the National Conference of State Legislatures.

Internal Accountability: Monitoring Compliance

Ensuring that your organization is up-to-date on compliance requirements can be an overwhelming task, and many organizations don’t know where to begin. While many resources are about becoming compliant, they don’t explain why internal accountability is important or give you actionable steps to maintain compliance. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the next steps your organization can take after you’ve identified your compliance requirements and will provide you with general principles that apply to any privacy program to help you improve your internal accountability processes.

Getting Over the Burnout of Pursuing Compliance

Pursuing compliance is a tedious task – one that often leaves organizations feeling burned out and reluctant to continue monitoring compliance efforts. Organizations need to recognize that compliance should be a cycle rather than a linear function. Achieving compliance isn’t a one-and-done process; it’s something that must be continuously reviewed and monitored. Threats are constantly evolving and requirements are frequently updated. If your organization neglects to monitor your compliance efforts, you’ll put yourself at risk for incurring steep fines and penalties, damaging your reputation, and putting your business continuity at risk.

What are Actual Internal Accountability Activities?

Monitoring and auditing are two internal accountability activities that organizations should use ensure compliance. These activities should be scheduled based on threats and vulnerabilities, likelihood of exploitation, and/or significance of exploitation. Generally, monitoring is going to occur much more frequently because it requires far less time than auditing. Auditing, on the other hand, is generally less frequent because it covers a larger time period, it’s performed by staff outside of the processing activities, and it requires the time commitment of independent testing. To get the most out of these two internal accountability activities, organizations must also be sure to use proper documentation, effective reporting, and implement corrective actions.

All organizations are responsible for ensuring compliance. In fact, many new data privacy laws, such as GDPR, PIPEDA, and CCPA, require internal accountability. To learn more about the processes your organization should have in place to ensure that you’re properly monitoring your compliance efforts, download the full webinar. For more information on how KirkpatrickPrice can assist you with monitoring your compliance, contact us today.

Privacy vs. Security: What’s the Difference?

Privacy and security are terms that are often believed to be synonymous, but they’re actually quite different. Understanding what that difference is plays a key role in ensuring that your organization maintains a strong security posture, while also performing your due diligence to protect your customers’ sensitive data. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the differences between privacy and security, why understanding the difference matters, and how knowing the difference could benefit your organization.

What is the Difference Between Privacy and Security?

The difference between privacy and security comes down to what they’re safeguarding: either data or user identity. To better understand the difference between privacy and security, however, there are 7 key components to look at.

  • Scope
  • Particularity/Uniqueness
  • Disclosures
  • Access
  • Data Usage and Third-Party Transfers
  • Minimization
  • Retention

Why Does Knowing the Difference Matter?

In a day and age when cybersecurity attacks are at an all-time high and the threat landscape continues to evolve, knowing which security and privacy requirements your organization must adhere to is critical. This is where the importance of understanding the difference between privacy and security comes into play. Why? We’ll give you a few reasons.

  • People excel in their efforts when they know why they are doing what they’re doing. If your organization doesn’t understand why you need to follow certain security or privacy requirements, you might not actually comply with those requirements.
  • Just because an organization keeps data secure doesn’t mean they’re keeping that data private.
  • Everybody wants every privacy and security guarantee, but that’s not necessary or possible.
  • Organizations might actually underachieve compliance if they’re not well-versed in the difference between which security and privacy requirements they must comply with.
  • Businesses could make unnecessary efforts to achieve challenging compliance objectives that do not apply to them, wasting time, money, and personnel resources.
  • Organizations could implement privacy and security controls or requirements incorrectly.

With the rise in data privacy regulations, organizations must make it a priority to know and understand the difference between privacy and security. To learn more about privacy and security, download the full webinar. For more information on how KirkpatrickPrice can help you meet your compliance needs, contact us today.

GDPR Readiness: Challenges for Organizations Outside of the EU

Although the EU’s General Data Protection Regulation (GDPR) enforcement deadline has passed, many non-EU organizations are still questioning what they need to do to ensure compliance. Do they need a designated representative? Where does their designated representative need to be located? Is a designated representative the same thing as a Data Protection Officer? Who do they need to notify that they have a designated representative? How do they do this? In this webinar, learn as KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, and the Founder and Chair of the Board of EDPO, Jane Murphy, answer these questions and more.

The Hidden Obligation Under GDPR: Article 27

Many non-EU organizations have missed a component of GDPR compliance: appointing a designated representative within the EU. This requirement comes from Article 27 of the law, which many people refer to as the “hidden obligation” within GDPR. According to  Article 27, non-EU organizations must designate a representative within the EU if they monitor or process the personal data of EU data subjects. A designated representative can only act on behalf of their client (a controller or processor subject to GDPR) and  acts as a point of contact for supervisory authorities and European clients and assists controller or processors in breach notification.

How can non-EU organizations (that must comply with GDPR) determine if they need a designated representative? First, they need to identify how much and how frequently they are monitor or process personal data of EU data subjects. Second, they must determine if they have an establishment in the EU. This means that non-EU organizations must verify whether they have any organizational links to EU data subjects, which could include employees, clients, investors, or partners. There’s several factors, gray areas, and exceptions for determining whether a non-EU must delegate a designated representative that we’ll discuss in this webinar.

About EDPO

In this webinar, we’re pleased to be joined by Jane Murphy from the European Data Protection Office (EDPO). Jane is Founder and Chair of the Board of EDPO. She is a Belgo-Canadian lawyer specialized in GDPR, corporate law, M&A, and corporate governance. She is also an independent non-executive board director of listed and non-listed companies in Belgium and in France and a member of various committees (audit, risk, legal, compliance, corporate governance and remuneration). She is Vice-President of CanCham Belux, member of the IAPP, and of the DPO Circle. She holds law degrees from Canada and Belgium, an LLM in European and International Law, a Certificate in EU Data Protection from Solvay Brussels School of Economics and Management, and completed a summer program in International Business at Harvard.

EDPO is a privately-held Belgian company located in Brussels that acts as a trusted EU-based representative for companies located outside of the EU that fall under the scope of the GDPR. EDPO provides a certificate that confirms compliance with Article 27 of the GDPR and unlimited assistance in the handling of requests from individuals and data protection authorities across the 28 Member States of the EU. EDPO’s mission is to enable non-EU companies to continue to have access to customers in the EU. Its team of experts creates value for non-EU companies by ensuring legal certainty and by protecting them against sanctions that can reach up to €20 million or 4% of global revenues, whichever is greater.

For more information on selecting a designated representative for non-EU organizations or to find out how your organization can begin your journey toward GDPR compliance, watch the full webinar. To learn more about the GDPR services we offer, contact us today.

GDPR Readiness: Conditional Requirements

Because of the complexity and ambiguity of GDPR, it’s difficult for organizations to determine which requirements are absolute and which are conditional. These requirements can have a significant impact on budget, leadership, policies, and the project plan for compliance. In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, leads a discussion on mandatory versus conditional requirements, provides in-depth examples of conditional requirements, and explains the implications of treating conditional requirements as absolute.

What are GDPR’s Mandatory Requirements?

Under GDPR, there are requirements that organizations must comply with, regardless of size, the type of information they process, or where they are processing the data from. In other words, these requirements have no conditional clauses that would alter their applicability. Examples of GDPR’s absolute requirements include the following:

  • Legal basis for processing
  • Transparency
  • Security safeguards
  • Organizational and technical controls
  • Facilitating data subject rights
  • Controller-processor standards
  • International transfer mechanism

What are GDPR’s Conditional Requirements?

Contrary to GDPR’s mandatory requirements, there are conditional requirements whose applicability to organizations varies based on a number of factors. Examples of such conditional requirements include the following:

Records of processing: According to Article 30, processors and controllers must document specified content related to GDPR activities, unless:

  • An organization employs less than 250 people; and
  • Processing is occasional; or
  • Processing could not result in a risk to data subjects; or
  • Processing does not involve special categories of data or criminal convictions

Designated representative: According to Article 27, when organizations not established in the EU process personal data, those organizations must designate a representative in the EU, unless:

  • Processing is occasional;
  • Processing does not include large scale use of special categories/criminal convictions; and
  • Processing is unlikely to result in a risk to the rights and freedoms of data subjects

Data Protection Officer: According to Article 37, controllers and processors must designate a Data Protection Officer when:

  • Processing is carried out by a public authority or body;
  • The core activities require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities consist of processing on a large scale

Data Protection Impact Assessment: According to Article 35(1) and 35(3), a controller must conduct a Data Protection Impact Assessment if they are:

  • Processing data that is likely to result in a high risk to the rights and freedoms of data subjects;
  • Systematically and extensively evaluating people, based on automated processing, including profiling, and it leads to decisions that have a legal or similar effect;
  • Processing special categories of data or criminal convictions on a large scale; or
  • Systematically monitoring of a publicly accessible area on a large scale

To learn more about each of these conditional requirements, download the full webinar now. For more information about how KirkpatrickPrice can assist you on your journey toward GDPR compliance, contact us today.