GDPR Readiness: Challenges for Organizations Outside of the EU

Although the EU’s General Data Protection Regulation (GDPR) enforcement deadline has passed, many non-EU organizations are still questioning what they need to do to ensure compliance. Do they need a designated representative? Where does their designated representative need to be located? Is a designated representative the same thing as a Data Protection Officer? Who do they need to notify that they have a designated representative? How do they do this? In this webinar, learn as KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, and the Founder and Chair of the Board of EDPO, Jane Murphy, answer these questions and more.

The Hidden Obligation Under GDPR: Article 27

Many non-EU organizations have missed a component of GDPR compliance: appointing a designated representative within the EU. This requirement comes from Article 27 of the law, which many people refer to as the “hidden obligation” within GDPR. According to  Article 27, non-EU organizations must designate a representative within the EU if they monitor or process the personal data of EU data subjects. A designated representative can only act on behalf of their client (a controller or processor subject to GDPR) and  acts as a point of contact for supervisory authorities and European clients and assists controller or processors in breach notification.

How can non-EU organizations (that must comply with GDPR) determine if they need a designated representative? First, they need to identify how much and how frequently they are monitor or process personal data of EU data subjects. Second, they must determine if they have an establishment in the EU. This means that non-EU organizations must verify whether they have any organizational links to EU data subjects, which could include employees, clients, investors, or partners. There’s several factors, gray areas, and exceptions for determining whether a non-EU must delegate a designated representative that we’ll discuss in this webinar.

About EDPO

In this webinar, we’re pleased to be joined by Jane Murphy from the European Data Protection Office (EDPO). Jane is Founder and Chair of the Board of EDPO. She is a Belgo-Canadian lawyer specialized in GDPR, corporate law, M&A, and corporate governance. She is also an independent non-executive board director of listed and non-listed companies in Belgium and in France and a member of various committees (audit, risk, legal, compliance, corporate governance and remuneration). She is Vice-President of CanCham Belux, member of the IAPP, and of the DPO Circle. She holds law degrees from Canada and Belgium, an LLM in European and International Law, a Certificate in EU Data Protection from Solvay Brussels School of Economics and Management, and completed a summer program in International Business at Harvard.

EDPO is a privately-held Belgian company located in Brussels that acts as a trusted EU-based representative for companies located outside of the EU that fall under the scope of the GDPR. EDPO provides a certificate that confirms compliance with Article 27 of the GDPR and unlimited assistance in the handling of requests from individuals and data protection authorities across the 28 Member States of the EU. EDPO’s mission is to enable non-EU companies to continue to have access to customers in the EU. Its team of experts creates value for non-EU companies by ensuring legal certainty and by protecting them against sanctions that can reach up to €20 million or 4% of global revenues, whichever is greater.

For more information on selecting a designated representative for non-EU organizations or to find out how your organization can begin your journey toward GDPR compliance, watch the full webinar. To learn more about the GDPR services we offer, contact us today.

GDPR Readiness: Conditional Requirements

Because of the complexity and ambiguity of GDPR, it’s difficult for organizations to determine which requirements are absolute and which are conditional. These requirements can have a significant impact on budget, leadership, policies, and the project plan for compliance. In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, leads a discussion on mandatory versus conditional requirements, provides in-depth examples of conditional requirements, and explains the implications of treating conditional requirements as absolute.

What are GDPR’s Mandatory Requirements?

Under GDPR, there are requirements that organizations must comply with, regardless of size, the type of information they process, or where they are processing the data from. In other words, these requirements have no conditional clauses that would alter their applicability. Examples of GDPR’s absolute requirements include the following:

  • Legal basis for processing
  • Transparency
  • Security safeguards
  • Organizational and technical controls
  • Facilitating data subject rights
  • Controller-processor standards
  • International transfer mechanism

What are GDPR’s Conditional Requirements?

Contrary to GDPR’s mandatory requirements, there are conditional requirements whose applicability to organizations varies based on a number of factors. Examples of such conditional requirements include the following:

Records of processing: According to Article 30, processors and controllers must document specified content related to GDPR activities, unless:

  • An organization employs less than 250 people; and
  • Processing is occasional; or
  • Processing could not result in a risk to data subjects; or
  • Processing does not involve special categories of data or criminal convictions

Designated representative: According to Article 27, when organizations not established in the EU process personal data, those organizations must designate a representative in the EU, unless:

  • Processing is occasional;
  • Processing does not include large scale use of special categories/criminal convictions; and
  • Processing is unlikely to result in a risk to the rights and freedoms of data subjects

Data Protection Officer: According to Article 37, controllers and processors must designate a Data Protection Officer when:

  • Processing is carried out by a public authority or body;
  • The core activities require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities consist of processing on a large scale

Data Protection Impact Assessment: According to Article 35(1) and 35(3), a controller must conduct a Data Protection Impact Assessment if they are:

  • Processing data that is likely to result in a high risk to the rights and freedoms of data subjects;
  • Systematically and extensively evaluating people, based on automated processing, including profiling, and it leads to decisions that have a legal or similar effect;
  • Processing special categories of data or criminal convictions on a large scale; or
  • Systematically monitoring of a publicly accessible area on a large scale

To learn more about each of these conditional requirements, download the full webinar now. For more information about how KirkpatrickPrice can assist you on your journey toward GDPR compliance, contact us today.

Using the HITRUST CSF Maturity Model

Organizations are often overwhelmed by the technical terminology and the number of requirements in the HITRUST CSF. However, while the HITRUST CSF may be daunting at first glance, the HITRUST CSF is not like any other framework. Achieving HITRUST CSF certification goes beyond showing whether or not you’re doing something, but instead it shows how well you’re doing it. In order to do this,  organizations are scored on how well they perform on each requirement statement. In this webinar, KirkpatrickPrice Lead Practitioner, Shannon Lane, discusses requirement statements, using the HITRUST CSF Maturity Model, and scoring.

What is the HITRUST CSF Maturity Model?

The HITRUST CSF Maturity Model is a scoring model based on the COBIT CMM and other similar models, and classifies organizations based on relative process maturity. With levels ranging from 1- to 5+, HITRUST’s goal is to elevate organizations from Level 2 to Level 3.

  • Level 1: A Level 1 organization is usually an early start-up type of organization that has informal processes. They have a weak definition of products and services and are the most agile because they have to do what it takes to get things done on the fly.
  • Level 2: A Level 2 organization is typically what most organizations are classified. These organizations have well-defined products and services and their projects are controlled. These organizations know what they’re doing, but don’t know why. They react to situations instead of proactively planning for them.
  • Level 3: A Level 3 organization represents HITRUST’s goal for certification. At an organization that is a Level 3, everyone understands what they’re doing and how and why they’re doing it. This organization has moved from reacting to issues to proactively planning for them. At Level 3 maturity, an organization demonstrates the most effective combination of process workflow and agility.
  • Level 4: A Level 4 organization looks for the small stuff. They are less agile because they have all of their processes in place and are actively managing success.
  • Level 5: A Level 5 organization trades agility for process management and absolute control. In this level, management has a deep understanding of the organization’s processes and operations run smoothly. While a Level 5 is almost impossible to obtain, organizations should continue to find ways to improve their balance between process and agility.

How is the HITRUST CSF Maturity Model Used?

To put it simply: the HITRUST CSF Maturity Model is used to score each of the requirement statements included in an organization’s scope. On average during a HITRUST CSF assessment, an organization might be tested on anywhere from 290 to 600 requirements. Each requirement is tested based on the maturity level of 5 areas: policy, procedure, implementation, measurement, and management. Each of these areas receives a score between 1 through 5.

In order to achieve HITRUST CSF Certification, an organization must obtain a score 3+, which is the equivalent of a 72 or higher. Because the weight of policies, procedures, and implementation is higher than measurement and management, an organization that receives a score of 5/5/5/0/0 will have obtained the desired 3+.

Becoming HITRUST CSF certified might seem daunting, but it doesn’t have to be. To learn more about how organizations can move from a Level 2 to a Level 3, how the HITRUST CSF Maturity Model is used, and how the HITRUST CSF is scored, download the full webinar. Are you ready to embark on your HITRUST CSF certification journey? We want to help! Contact us today to speak to one of our HITRUST experts.

GDPR Compliance Best Practices for Today and Tomorrow

Are you looking for a high-level overview of the General Data Protection Regulation (GDPR)? Do you want to determine your role for processing personal data under the law? Do you want to find out how GDPR applies to the speech analytics and call center industries? In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, partners with CallMiner to answer these questions.

GDPR Best Practices

Ensuring that your organization is GDPR compliant is paramount if your call center collects, stores, processes, or transmits the personal data of EU data subjects. Because of this, we suggest following these GDPR best practices:

  1. Data Mapping: Organizations need to identify where their data is coming from and where it goes. A call center associate might collect a name, date of birth, and email address, but a payment collection associate might collect just payment card information. If a data subject requests that data is erased, you must be able to identify where each piece of information lives and which channels it goes through.
  2. Identify and Document Each Legal Basis for Processing: Organizations may have multiple processing activities occurring at the same time. For example, if your call center associate was an EU data subject, then you might have to establish a legal basis not only for processing the data of the consumer, but you would also have to establish a legal basis and document the legal basis for processing the legal basis for processing personal data of your employee.
  3. Create a Flow Chart for Data Subject Rights: Organizations must understand each right that GDPR gives EU data subjects. For example, if a data subject submits a request for erasure based on a withdrawal of consent, your organization must be able to identify if it can refute that request for erasure because it has a legal requirement to keep that data, if it’s in the public interest, or if the data is being used for litigation purposes.
  4. Establish and Monitor Security Standards: Organizations must identify appropriate technical and organizational measures to ensure security based on the risk of processing. If your organization, for example, processes special categories of data such as genetic data, healthcare data, biometric data, or racial data, you’re going to have greater risk and thus will need greater security measures.

Following these four GDPR best practices will help your organization demonstrate your commitment to GDPR compliance, but it’s just the tip of the iceberg. To learn more about how organizations in the speech analytics and call center industries can ensure GDPR compliance, watch the full webinar now. For more information about GDPR compliance or to learn about our GDPR services, contact us today.

About CallMiner

CallMiner helps businesses and organizations improve contact center performance and gather key business intelligence by automating their ability to listen to every customer interaction. CallMiner’s market leading cloud-based voice of the customer analytics platform automatically analyzes contacts across all communication channels: calls, chats, emails, SMS, surveys, and social.

Management’s Responsibilities During a HITRUST CSF Assessment

When your organization begins preparing to undergo a HITRUST CSF assessment, management needs to review what their own responsibilities are, regardless of how seemingly small some of them might seem. For example, does your organization have an executive charter in place that delegates the responsibilities of the CISO? What level of involvement do your C-level executives have in your information security program? In this webinar, Shannon Lane dives into one of the most commonly missed components of a HITRUST CSF assessment, the executive charter, and provides guidance on how your organization should go about ensuring that one is in place.

What is an Executive Charter?

An executive charter is a a policy that drives your entire organization’s security posture. It demonstrates whether or not your senior-level executives are involved in your information security program, grants rights, responsibilities, and power to departments, defines responsibilities of individuals, establishes baseline accountability and reporting structure, and should be built into your organization’s foundational documentation.

Because the executive charter sets aside who does what at each level, it serves as a type of check-and-balance system for an organization. Specifically, the executive charter for an information security management policy does this by outlining the following:

  • Addressing the CISO role and IS department
  • Defining the powers and responsibilities of the CISO/ISO
  • Defining the reporting structure of the CISO/ISO
  • Establishing the independence of the IS department
  • Allowing the IS department to set appropriate policies to the limits allowable by the CEO
  • Empowering the IS team within he who of the corporate structure
  • Defining the limits of the IS team operation

Is My Executive Charter Compliant?

When you’re engaging in HITRUST CSF assessment, KirkpatrickPrice Information Security Specialists will be looking to validate that your executive charter adheres to HITRUST CSF protocols. In order to ensure that your executive charter meets the expectations of the HITRUST CSF, you’ll need to ensure that your senior management officials have assigned an individual or group to do the following:

  • Ensure the effectiveness of the information protection program through program oversight
  • Establish and communicate the organization’s priorities for organizational missions, objectives, and activities
  • Review and update the organization’s security plan
  • Ensure compliance with the security plan by the workforce
  • Evaluate and accept security risks on behalf of the organization

You’ll also need to ensure that your executive charter meets the following HITRUST CSF requirement statements:

  • A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements.
  • The owner of the security policies has management’s approval and is assigned the responsibility to develop, review, update, and approve the security policies, and such reviews, updates, and approvals occur no less than annually.
  • An individual or dedicated team is assigned to manage the information security of the organization’s users.

The executive charter lays the foundation for a strong security posture. To learn more about how to establish and implement an executive charter to prepare for your HITRUST CSF engagement, download the full webinar. To get started on your HITRUST CSF journey, contact us today to speak to an expert.