In September 2018 , California became the first state to pass a law addressing the security of connected devices. The law will go into effect in 2020 and requires that manufacturers of any internet-connected devices equip them with “reasonable” security features. It is a good first step toward addressing the risks inherent in the world’s increasing connectivity.
The legislation predates federal legislation securing IoT devices, which is not the first time that California has led the way on data privacy and security policy; the new law may serve as a template for future legislation. The new legislation has faced both praise and criticism, but as with any policy addressing new technology, it brings up many new — and sometimes difficult to answer – questions, such as the following:
What is IoT security and what are the potential consequences of insufficiently secured internet-of-things devices?
IoT security refers to steps that are taken to secure or enhance the safety of internet-connected devices – everything from Amazon Echo, Google Home and Ring doorbell to internet-connected devices like stoves, refrigerators and thermostats. It can mean anything from requiring a unique password on devices to ensuring that devices use only password-protected internet connections.
There are many consequences to insufficient or nonexistent IoT device security, chief among them being that the devices can be taken over by cyber criminals and used against their owners. For example, internet-connected devices that have cameras or microphones could be used to record or listen to their owners without permission. Additionally, internet-connected devices like webcams, digital video recorders and home routers can be strung together and used in botnets for distributed denial-of-service attacks launched by cyber criminals.
What is the government doing about this?
While several IoT security bills have been submitted in Congress, none has made it to a vote. However, some states like California are implementing bills that include security requirements for IoT devices.
The main provision of the California IoT security law is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” What does “reasonable” security features mean?
The California’s IoT law leaves “reasonable security features” intentionally vague, as what “reasonable” looks like will vary by device. Generally speaking, “reasonable” security measures would include the ability to change the default username and set up a unique password for the devices. For some devices, it could mean the ability to set the device to only allow certain voices or faces to give commands.
Will this law make the IoT secure?
It is difficult to say whether this law, or any law, will make the internet of things secure, because each device has different security vulnerabilities. That said, this bill’s vagueness, especially the password requirements, does not address different authentication methods like PIN’s or facial recognition that are not considered passwords.
What are the benefits and consequences of California passing legislation ahead of the federal government?
Because California’s IoT bill requires manufacturers include specific features when producing these devices, it will likely set off a trend that is followed nationwide. It will be less expensive for manufacturers to produce all of their devices to meet California’s requirements regardless of where they will be distributed than would be for them to produce products exclusively for California. Should this happen, it could negate the need for any type of federal legislation. However, other states or federal lawmakers may enact laws that go further than the California bill. Stronger requirements for passwords and security would require manufacturers to pivot again and would make the California laws obsolete.
What next steps should state and federal legislators take when it comes to data security and privacy?
Lawmakers should continue looking for gaps in security practices and data protections and create legislation that protects users from these built-in vulnerabilities. However, it is important for users and tech companies not to wait for legislation that mandates security measures, but rather begin implementing data protections and security measures proactively.
Relentless CCPA and Data Privacy Services has You Covered
Its 2019 and if you are still struggling to meet GDPR compliance and with the threat of severe penalties in place for those whose failure to comply puts individuals personal data at risk, there really is no time like the present to start taking action.
Yet with a seemingly never-ending task list to complete, how do you know which aspects of GDPR to take care of first, let alone which steps you can take to make the biggest difference to your compliance strategy efforts? Of course, you could begin by wading through page after page of extensive GDPR documentation, but let’s face it: Even if you did have the patience and perseverance for such an undertaking, you simply don’t have the time. Fortunately, there is an easier way:
Follow Our Four-Step Guide to Baseline GDPR Compliance
Relentless Privacy & Compliance work with scores of businesses across the UK, and International empowering them with the tools, services and strategies they need to ensure frictionless compliance with current regulations. Combining our experience with the latest insights into GDPR best practice, we’ve put together this handy guide, helping your business make a smooth move towards compliance with four steps you can start implementing today.
Step 1: Create Records of Processing Activities
Article 30 of GDPR compliance states that both data controllers and data processors must keep records of their processing activities. Despite some Article 30 requirements applying to both controllers and processes, each one is obligated to follow its own different set of rules about what -and how- to record. With that in mind, your first task should be to determine whether you’re classed as a controller or processor. The good news is that this is pretty straight-forward.
How To Tell if You’re A Data Controller or Data Processor:
In the most basic level, this comes down to whether or not you’re in charge of the “what, why, and how and where” of your data collection.
The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity
A data processor is a person who processes data on behalf of a data controller. A data controller decides the purpose and manner to be followed to process the data, while data processors hold and process data, but do not have any responsibility or control over that data.
Article 30 Requirements for Both Controllers and processors
Regardless as to whether you control or process data, you’re required to record:
Your representative in the European Union (EU) if your primary business is headquartered outside of the EU.
A general description of both technical and organisational data security measures you’ve implemented. This includes everything from encryption and anti-ransomware to limiting access only to those who need the data.
In cases where you’re transferring data outside of the EU, where that data is going and what measures are in place to protect it.
GDPR Articles 44 to 50 are primarily concerned with transferring data internationally, so it’s worth checking up on those -or talking to your GDPR compliance consultant– if this applies to you.
Article 30 Requirements for Controllers
If you’re a controller, you’ll need to record the types of people and the types of data that you’ll be processing. In a commercial business, for example, you might record that you record customer information includes bank details, email address and physical address, as well as information about your employees, including their bank details, tax information, next of kin and health records. You’ll also need to record:
The types of people who will have access to your data
The length of time you intend on keeping each category of data.
The name and contact details of the controller on whose behalf you process data.
Details of that controller’s DPO and EU representative where applicable.
If you work on behalf of multiple controllers, you’ll need to record these details for each one.
Step 2: Determine Your Lawful Basis For Processing Personal Data
Ready for some more good news?
The remaining three steps towards frictionless compliance with GDPR aren’t nearly as intense as Step 1. Next, for example, you simply need to follow Article 6, which states that in order to process personal data, you need to have a valid lawful basis to do so. In other words, that processing is necessary to achieve a specific purpose.
An individual gives their explicit consent for you to process their data for a specific purpose.
Processing is necessary in order to carry out the terms of a contract you have with the individual.
The ICO also states that this basis can be used if the individual has “asked you to take specific steps before entering into a contract.”
If processing is required in order to ensure you’re compliant with the law.
Processing is required in order to protect an individual’s life.
this applies if processing is necessary in order to carry out a task that is in the public interest or an official function of your organisation. Those tasks and functions must have a clear basis in law.
The ICO tells us that this applies when “processing is necessary for your legitimate interests, or in the legitimate interests of a third party.” This, however, can be overruled if there is a good reason to protect a person’s personal data.
Step 3: Identify a Lawful basis for Processing Special Category Data
Special category data is personal data which GDPR classes as being more sensitive than other types of data, thus requires much protection. This includes things like race, religion, ethnicity, genetic and biometric data, among other things. In order to process this kind of data, you’ll not only need a lawful basis from the aforementioned Article 6, but you’ll also need to meet a specific condition set out by Article 9.
The ICO has a full list of the 11 Article 9 conditions, some of which (explicit consent, vital interests, and legitimate interests) are similar to the lawful basis of Article 6. That said, it is important to note that you don’t necessarily have to use the same basis for each. In other words, if you use explicit consent under Article 6, you do not have to use explicit consent under Article 9, though you can, of course, choose to do this if it is the most appropriate solution.
Step 4: Ensure Adequate and Appropriate Data Security and Privacy measures are in Place
Our fourth and final step involves following the guidance of Article 25 and Article 32, both of which concern themselves with integrating data protection into the very heart of your organisation and taking a “privacy first” approach to new policies, initiatives and endeavours.
Article 25 requires what it calls “data privacy by design and default.”
This his means that both technical and organisational data security measures are implemented across the board, into every aspect of your business’ products, services and processes. It also means ensuring that you only collect, store, and process data which is absolutely necessary and that this data is only made available to people for whom access is also absolutely necessary. Meanwhile,
Article 32 mandates
That those technical and organisational measures are adequate and appropriate for the level of risk involved in the data processing you carry out. At a technical level, this includes encrypting personal data, using a process known as Pseudonymization and creating adequate data backup and disaster recovery strategies. Organisationally, this may involve staff training, updating policies, and managing data access among individuals.
Unsure if the technical and organisational data security measures you have in place are enough to meet GDPR requirements? Need further advice on lawful basis or hands-on support with data processing records?
Relentless Privacy & Compliance Services tailor deliver bespoke GDPR solutions designed to guarantee frictionless compliance right across the board. Contact us online today to arrange your free consultation, or to find out more about how we can help, call now on +44 07732841440.
An important implication to CCPA California Consumer Protection Act law is that it does not limit itself to companies that are headquartered in California.
comparatively it applies to any company that carries out business in the state of California. Additionally, any business that collects personal information, which in many cases is defined in terms much broader than the terms used by GDPR, must adhere to CCPA guidelines.
The scope of personal information covers anything that can be associated with an individual from financial, medical information to internet activity, IP addresses and even inferences that are drawn from the data. Anything that can be associated with or identifies an individual could be covered.
Additionally, the CCPA defines “sale” as any transfer to a third party for consideration. This includes the transfer of information between brands operating under the same parent company. Knowing how consumer data is transferred within your organization will become very important with this law.
WHAT DOES IT MEAN FOR HOSPITALITY?
Hotels today are collecting all kinds of large volumes of personal data that could be sensitive in nature. The CCPA sheds light on how hotels now need to think about how they are managing this data, who has access to it, and who it is shared with: OTAs, car rental companies, travel excursion companies, etc. Hotels need to know where this data goes to better understand if it falls under the CCPA’s term of the sale of information.
Types of Organizations to Which the CCPA Applies:
Any for-profit organization that collects consumers’ personal data, does business in California, and satisfies at least one of the following three requirements:
Has annual gross revenues in excess of $25M
Possesses the personal information of 50k or more consumers, household or devices on an annual basis
Earns more than half of its annual revenue from selling consumers’ personal information
Individuals to Which the CCPA Applies: California residents – including both consumers and employees
MAJOR THEMES OF COMPLIANCE:
Right to disclosure – This is the right to be informed before or the time that personal information is collected, as well as the type of information being collected and why it is being collected. Additionally, consumers under this law have the right to request a data trail of what information was collected about them and how it was used after the fact.
This presents two significant problems for hotels. First, hotels will need to be able to track every data point they have collected on individuals including where the data was sent and how it was used.
With hundreds if not thousands of data points collected on every individual, this is daunting. Second, hotels will be tasked with verifying the identity of the requester to ensure this isn’t a form of fraud.
Right to deletion – Consumers have the right to request that a business delete all of the information they have on file about them. However there are nine exceptions to this right both under GDPR and similarly under the CCPA. Unfortunately, consumers will often try to use this right as a way of abusing the system or creating what they think will be a loophole.to escape obligations example to escape payment for services. such as bat bills, room service, cancelled bookings etc
Right to opt out– This refers to the consumers’ right to opt out of the downstream “sale” of their personal information.
Right to non-discrimination – Businesses can’t deny goods or services to consumers who exercises their right to privacy.
The right to opt out and the right to non-discrimination provides a particularly troubling issue for hotel loyalty programs. In fact it’s impossible to comply, For example, a hotel needs a person’s stay information to be able to give them the benefits that come along with his stay from a loyalty perspective. There is currently an amendment pending that could exclude loyalty programs specifically, but if the amendment doesn’t pass, this could put significant stress on loyalty programs.
What are the penalties ?
There are two possible outcomes.
In the case of a data breach, individuals will be given the opportunity to leverage a class action lawsuit on the basis of statutory damages. This means that consumers will not have to prove they suffered any damages, they will only have to prove their information was exposed and the company did not have reasonable security measures in place. Damages will range between $100-$750 per person per incident. So if 10,000 California residents are impacted by a breach, that’s a minimum of $1 million besides all of the additional costs associated with data breaches.
The attorney general can come after hospitality companies for any breach of the law which will usually result in a fine. The hospitality company will be given 30 days before the fine is imposed to fix whatever the offence was.
Hospitality Sector Vendor Risk
For many hospitality companies, their partnerships with vendor members could pose a significant risk. However, the CCPA offers specific provisions that hotel companies can include in their contracts with service providers so that they are not liable if the service provider misuses the consumer data. This is a protection built into the law.
Our Ten advisory steps hospitality companies could take to minimize their risk. They include:
1) Assess your CCPA compliance
2) Complete CCPA assessments
3) Map the flow of personal data to perform key CCPA tasks
4) Streamline and comply with CCPA consumer rights
5) Meet the “Do not sell my personal information” requirement
6) Enable location specific cookie banners
7) Review vendors for CCPA contract obligation accountability
8) Comply with California data breach notification laws
9) Train employees
10) Enable reporting and metrics; keep evidence of consumer reports
Relentless Privacy and Compliance Services CCPA Service has you covered
Data protection is unlikely to be foremost in people’s minds when considering the impact of Brexit, whether it be soft or hard, deal or no deal. The UK Government has, however, recently issued papers about various topics in a ‘no deal’ situation and one of these entitled: Data protection if there’s no Brexit deal.
In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.
The UK faces the prospect of being regarded as a third country when it exits the EU. As a result, the transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the EU General Data Protection Regulation (GDPR). EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
You may have heard talk about ‘adequacy’ and speculation if the UK will be given ‘adequacy status’. Let’s explain.
What is adequacy ?
It’s all about demonstrating to the EU that the UK is a safe place for data processing so that restrictions on data transfers are not imposed. The European Commission can assess non-EU countries’ level of personal data protection to see if it is essentially of an equivalent level to that of the EU. If a country ‘passes’ the rigorous testing, the Commission can make an Adequacy decision.
Countries with adequacy are not bound by the appropriate safeguard requirements set out in Article 46 and Article 47of GDPR and personal data can flow unrestricted.
The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. We should also mention the US-EU Privacy Shield, which is a recognised control for data transfers between the US and EU. This is limited to organisations in the US who sign up to the Privacy Shield framework.
Most recently in July 2018, the EU and Japan agreed to recognise each other’s data protection systems as ‘equivalent’.
Will the UK automatically be awarded adequacy status?
Unless a Brexit deal is reached between UK & the EU before 31st October 2019 which covers data protection & data transfer arrangements, the answer is no. The Commission would need to go through an assessment process before adequacy could be granted. Despite pleas from the UK Government for this process to start, the Commission’s current position is that it will not commence the process until the UK has left the EU and become a third country. Article 45 of GDPR sets out what the Commission should take into account when considering whether to grant adequacy.
Is the UK likely to be awarded adequacy status?
If the UK leaves the EU on October 31st 2019 with no agreement surrounding data protection & data transfers, the UK Government has stressed, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
It is widely hoped this will go a long way in persuading the EC to grant adequacy. However, there are concerns the Commission will take a more detailed look at the UK’s crime and national security legislation during its assessment, and in particular the controversial Investigatory Powers Act 2016. This has been criticised by the European Court of Human Rights for giving too much power to security and intelligence services which could violate individual privacy.
Japan will be the first adequacy decision made under GDPR so the UK Government can learn a lot from the process, the EDPB (European Data Protection Board) opinion that has been requested, and the final adequacy decision (once published). Japan has a different data protection regime and has had to agree to add to their national law to get adequacy. Therefore, given the UK implemented Directive 95/46 and has implemented GDPR, a decision that the UK is not adequate would seem unlikely. However, as a third country the UK will be subject to greater scrutiny, and Brexit is unprecedented, so nothing is certain.
The EC’s process for reaching an adequacy decision typically lasts several months (even years) and there is no guarantee it will be granted.
So, what do organisations need to do?
Let’s be clear, if no agreement is reached the UK will become a third country to the EU and will not have adequacy – at least not right after Brexit. So new restrictions for EU-UK data transfers will apply – at least in theory.
UK to EU transfers
The transfer of personal data from the UK to EU member states will, according to the Government, remain unaffected. The Government has stated, “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
EU to UK transfers
UK organisations which receive any transfers of personal data of EU citizens, or any personal data from EU member states, need to prepare for the possibility of no deal. Initially, at the least, the UK will not be deemed an adequate country and there will be a burden for compliance with Articles 46-49 of GDPR on organisations sending personal data to the UK.
Organisations are being advised now to work with their EU partners to ensure compliant transfer of personal data between the UK and EU can be achieved.
The Government is advising that for the majority of organisations the most relevant legal basis for such transfers would be Standard Contractual Clauses (SCCs). These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract, which may need to be reviewed on this point to avoid ambiguity. They cover the contractual obligations between both parties to protect the rights of the individuals whose data is being transferred. So model clauses are the way to go.
UK entities that are part of multinationals will as equally be affected as pure UK only organisations, where personal data is transferred into U.K. from EU. However, multinationals that already have approved Binding Corporate Rules (BCRs) may not be affected as a BCR is more focused on the group approach to management of personal data including data transfers. Some multinationals have also set up a framework agreement incorporating EU Standard Contractual Clauses, and here such an Agreement may well survive Brexit as the U.K. company described as a data exporter simply switches to a data importer. This, however, would not be the case where the U.K. entity was signed as an exporter on individual standard contractual clauses, based contracts.
Anything More to Note?
Organisations based outside the EU which offer goods and services to EU citizens, or monitor the behaviour of EU citizens, fall under the scope of GDPR Article 27, which includes the requirement for such organisations to nominate a representative in one of the EU member states. So, after Brexit, when the UK is outside the EU, this article will bring many UK organisations within its scope.
Also, worth considering is whether your organisation is currently relying on the EU-US Privacy Shield. If so this will need revisiting, as upon Brexit the UK will not be part of this arrangement.
In this period of uncertainty, it would appear prudent to start preparing for what may come – i.e. abide by existing legislation but anticipate possible changes and scrutiny to businesses processes impacted by cross-EU data-sharing. One would need a crystal ball to predict the outcome of any Brexit deal (at the time of writing only six months away), but it is entirely possible a period of ambiguity might result as political manoeuvrings are completed.
As ever, businesses which act in good faith, recording and justifying any changes to business processes and decisions, will be less vulnerable than those which do not – Keep Calm and Prepare
Transatlantic commerce is invaluable to companies in the US and EU. The sale of goods and services is made easier for both sides by following consistent operating standards for data protection. In some ways the US is already moving towards tougher privacy laws with the introduction of the California Consumer Privacy Act of 2018, followed by recent calls from the CEO of Facebook for the US and countries around the world to adopt privacy regulations built on the GDPR. Focusing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog post we consider the geographic scope of GDPR and the core business functions it impacts upon.
The implementation of the GDPR which came into effect on 25th May 2018 required comprehensive changes to business practices for many companies that did not already have a comparable level of data protection in place. Company departments from Finance to HR, Marketing, Sales, and Customer Support were all affected by the required changes. Companies working with partners also had to ensure that these entities were GDPR-compliant, typically the data Controller signs a data processing agreement with their Data processors to document responsibilities and ensure processors act on the Controller’s instructions.
When does the GDPR apply to US companies?
According to Article 3 of the GDPR, your company is subject to the requirements of the GDPR if it is based outside the EU but collects (i) personal data of individuals located in the EU for the purpose of offering goods or services regardless of whether a payment by the individual is required (i.e. marketing); or (ii) behavioural information as far as their behaviour takes place within the EU.
Conversely, the GDPR will not apply to the processing of data relating to individuals located outside the EU when the data is collected. US companies with an online presence should therefore be particularly mindful of the GDPR.
There are three categories of individuals who you should bear in mind:
Marketing to potential customers in the EU
The GDPR differentiates between targeted and general marketing. Put simply, the GDPR only applies to targeted marketing i.e. material that is clearly aimed at a particular market. Key indicators of targeted marketing include using a local website suffix (such as “.co.uk”) and listing prices in the local currency.
The mere accessibility of a company’s website or contact details to customers in the EU is more general in scope and would not be classed as targeted.
Pertinent to marketing is the GDPR principle of lawfulness, fairness and transparency. This means that you must be clear, open and honest with people from the outset as to how their personal data will be used.
In particular, customer consent must be freely given, specific, informed and unambiguous when signing-up for marketing materials.
It is not acceptable to use pre-ticked check boxes or bulk consent to multiple processing activities with information for customers spread across numerous legalistic documents. A record must also be kept for each individual, including when the consent was provided and what was consented to.
Audit Your Data
Auditing the data your company holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access to it moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data you hold, you can’t make any plan around that data. GDPR 24/7 platform documents and creates a visual map of where your data is and its flow and under what lawful basis it is processed. Pricing starting from £49 pm for professionals rising to £149 pm for business plus for organisations up to 250 employees. Organisations over 250 employees POA
DPIAs or Data Protection Impact Assessments may need to be carried out by companies before any new processing starts that presents a risk to data subjects to ensure data protection by default and by design is in place, a key GDPR concept. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit Your Service Providers
The task of auditing your service providers’ compliance is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The Right to be Forgotten and Data Subject Rights
Data subjects could include employees, candidates, customers or even potential customers if your business collects prospective leads. Under new GDPR regulations data subjects have the following rights:
The right to be informed;
The right of access;
The right to rectification;
The right to erasure (the right to be forgotten);
The right to restrict processing;
The right to data portability;
The right to object;
Rights in relation to automated decision making and profiling.
Under data protection law, anyone can ask if your organisation holds personal information about them – you must respond to their request as soon as possible, and within one month at most. Requests for personal data should be provided for free in most cases.Relentless GDPR 24/7 automates the management of DSAR requests so you never miss the deadline to reply.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them. A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
Officials realise that enforcing GDPR is essential for consumer protection. Forty-one companies have received fines from Germany for GDPR-related offences. The highest fine, $80000, penalised an organisation for failing to protect health information from public disclosure.
The business reputation is the perception of stakeholders about the company´s past and future ability to deploy its strategy to meet their expectations. Managing and forging this internal and external trust enhances the perceived quality of services, attracts talented leaders and business partners, improves performance, allows access to capital, creates differentiation, delivers sustained earnings, and increases the market value. The reputation is the final consequence of how the ethical values permeated the corporate culture to be visible to stakeholders. Corporate values need more than being self-proclaimed to improve the image perceived by stakeholders.
A leading topic at nearly every risk management conference is how to value the reputational impact. Reputation is so intangible, qualitative and unique that it’s hard to value its depreciation as an asset. However, boards and risk owners need to define a quantitative measure to manage. It is essential to quantify reputational risk regarding its likelihood and financial impact.
The economic implications on reputation is usually quantified by using:
Return on investment of communication program
Customer acquisition and retention rates
Employee hiring and retention rates
Compliance and regulatory investigation costs
Lawsuits and litigation costs
Business opportunities in mergers, acquisitions and partnerships
Data Protection Officer
Many organisations, particularly smaller ones, may find that the DPO’s responsibilities are a challenge to deliver, given the breadth of knowledge required of data processing and data security operations. The GDPR allows organisations to outsource the DPO role to an external provider.
Outsourcing DPO tasks and duties to a managed service provider means you get access to expert advice and guidance that helps you address the GDPR’s compliance demands while staying focused on your business activities. Benefits of outsourcing the role include:
A practical and cost-effective solution to achieve GDPR compliance;
Access to independent DPO expertise not available internally;
No conflict of interest between the DPO and other business activities;
Application of best practice in achieving and maintaining GDPR compliance;
Cost-effective compared to an internal appointment; and
Access to GDPR training and compliance solutions.
Data Breach Notification
If a data breach does occur, your company must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. If the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your company.
Prepare for Data Breaches
Recent high-profile data breaches demonstrate how critical it is to be ready to handle a breach. Advance planning will ensure you have a clear strategy focused on protecting and informing your customers. A detailed plan could minimise damage to your organisation’s reputation.
The EU General Data Protection Regulation (GDPR) imposes a data breach regime on all data controllers and processors handling personal data. This requires organisations to ensure data is adequately protected against loss, theft, unauthorised access etc. Data processors are obliged to report personal data breaches to controllers, and in turn controllers need to be prepared to comply with the personal data breach notification rules.
Record of Processing Legal Basis and Consent
Each controller will have the responsibility to maintain records of all the processing activities which take place within the organisation. These records (which need to be in writing, as well asin electronic form) must contain all of the following information:
the name and contact details of the controller and where applicable, the data protection office;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
the transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards;
the envisaged time limits for erasure of the different categories of data; and
a general description of the applied technical and organisational security measures.
Train Your Employees
Not only does training staff reduce the risk of breaches, it also demonstrates compliance with GDPR. For example, if an organisation was to experience a data breach and they had documented your staff training, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the regulation seriously.
Of course, all staff members are not required to have a detailed knowledge of the full legislation like a compliance officer would, but a good start would be to ensure all staff are aware of GDPR and the issues of data protection. Under Article 39 of the GDPR, it outlines that staff awareness raising and training is required.
Data Retention Policy
GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and the data quality principles.
The GDPR brings a requirement to demonstrate extra accountability so the organisation or company must be able to demonstrate compliance.
GDPR for US Companies: Ongoing Compliance
GDPR compliance isn’t a one-off – it has to be maintained
If your business was one of those that took appropriate steps to comply with the rules of the GPDR before 25 May, you might believe that you can relax and can put the rules to the back of your mind. But compliance is not a one-time exercise, and if you want to stay within the law your company needs to constantly reassess its security procedures and practices.
Additionally, some businesses make the mistake of believing that Brexit will affect the GDPR – perhaps that the legislation will cease to be the law after the UK leaves the European Union. Brexit is no reason to assume that these new rules will cease to apply, however.
Firstly, the UK is not scheduled to withdraw from the EU until October 31 2019, so GDPR compliance will be required up until this date anyway. But furthermore, the UK has passed GDPR into UK law, known as the Data Protection Act 2018 which will continue to maintain and enforce GDPR standards after Brexit occurs.
If you are a US company that directly processes the personal data of EU customers, you are considered a data controller under GDPR. But what if you are an American B2B company, who handles that data on behalf of an EU business? That makes you a data processor rather than a controller. You will have less legal duty than the controller, but must still comply with GDPR by law.
Supposing your EU client abruptly asks for your GDPR compliance? You will need to be ready or risk losing business.
US companies have no GDPR equivalent at a federal level, but must observe EU law if they process EU personal data. This avoids fines and gives preparation for the US federal laws that will surely arrive soon. The world is waking up to data protection. What can a US data processor do to protect itself against GDPR breaches?
Few tasks are more important to GDPR compliance than identifying where you store all your data. A major risk of non-compliance occurs when companies lose control of their data and lose sight of exactly where it resides. You need data mapping to combat “data sprawl”. As a US company, you must know what EU data you process and all the places you store it. The worst thing any company can do is bury its head in the sand over this.
Do You Share EU Data with Another US Company?
Under GDPR, a processor that handles data for another processor is a “sub-processor”. In this blog post, this refers to a US company that processes EU data on behalf of another US company, which in turn, processes data for an EU controller.
In such situations, the sub-processor must also be GDPR-compliant. A key principle of GDPR is the complete lack of loopholes: every party carries legal responsibility. A contract should exist between processors and sub-processors that mirrors the responsibilities between controller and processor.
Can You Quickly Isolate Personal Data?
Another vital part of GDPR compliance is the ability to quickly access and isolate data. Data subjects have various access rights, including the right of erasure (aka “the right to be forgotten”). In that instance, your company needs to be able to efficiently locate all data held on the subject and cut it clean from the records. If you are a small to mid-sized company—bearing in mind that GDPR applies to all business sizes—GDPR compliance software can help you with this, as well as with data mapping.
Appointing an EU Representative
A US company without any physical presence in the EU (including legal entities and subsidiaries), needs an EU representative under Article 27 of the GDPR. This is not the same role as a DPO (data protection officer). The latter focuses on internal compliance, whereas an EU representative acts as an intermediary between a non-EU company and EU data authorities.
An EU representative has to be based in the European Union for ease of communication. One possible answer is to assign an EU rep through GDPR consultants Relentless Privacy and Compliance Services. An alternative solution for companies with the resources is to set up a subsidiary in the EU, which would avoid the need for an EU representative.
Think About Joining the EU-US Privacy Shield
Introduced in 2016, the EU-US Privacy Shield is an optional framework for the transferal of personal data between the EU and the US. While the Privacy Shield is less severe than GDPR, it is subject to yearly revision and provides a useful road-map towards compliance.
Act Quickly on Data Breaches
Data controllers must inform authorities as soon as they find a data breach. A B2B US data processor has the same obligation to its EU controller under GDPR. Data breach management is an important part of any GDPR solution and is a feature of Relentless GDPR 24/7 compliance software. This responsibility to report must be contractually agreed between companies sharing data.
Contracts Between Controllers and Processors
A written contract must exist under GDPR between controllers and processors. The same is true between processors and sub-processors. Processors cannot act without the approval of the controller. For example, they can only engage a sub-processor with the controller’s consent.
Get Ready to Prove Yourself
Under GDPR, EU companies must be able to prove compliance. There must at least be a clear path towards it to avoid fines after a breach. Whether regulators act or how harsh they are depends on the company’s resources and the extent of its offence. Thus, violations by Google resulted in a €50 million fine.
A US company processing EU data becomes liable for GDPR compliance. It’s like the domino effect. Can you show compliance to EU clients and prove you aren’t a chink in their GDPR armour? You must have the necessary system and security in place alongside trained staff that are familiar with GDPR needs. Your employees should sign confidentiality agreements that highlight their obligations.
Now’s the Time
Studies show that US companies have been slower to comply with GDPR than their European counterparts. Distance alone makes that no surprise. And yet it’s vital for US businesses that process EU data to quickly get on board with GDPR. This not only preserves their existing business, but readies them for the federal laws likely to come. That’s not to mention more demanding state laws, such as those on the horizon in California.
If you are a US data processor that is yet to catch up to GDPR, get started now!
How the California Consumer Privacy Act Affects Your Business Everything You need to Know
Did you know that the new California privacy law could have an impact on your business, even if you’re not based in the Golden State? Discover what the CCPA means for you, and for the future of data protection regulations around the world.
The arrival of the General Data Protection Regulation back in May 2018 served as a wake-up call for the rest of the world. No longer could businesses afford to be lackadaisical about consumer privacy or how they manage their data. With widespread implications not only for organisations within the European Union but for those based internationally as well, GDPR prompted lawmakers across the globe to not only take note but take action. One of the first to do just that was the US state of California who, mere weeks after GDPR came into effect, signed into law their own updated data protection rules, known as the California Consumer Privacy Act (CCPA) of 2018. So far, so interesting, but what does any of this have to do with you? After all, your business isn’t based in California, it’s based in another US state entirely, or even in a completely different country.
Does that mean the California Consumer Privacy Act of 2018 doesn’t affect you?
Is it time to stop reading this article and go about your day?
Not exactly. Here’s the truth:
The Consumer Privacy Act Could Impact Your Business
How will the new Consumer Privacy Act affect your business?
At Relentless, we specialise in helping businesses manage their data protection and enjoy frictionless compliance with current legislation in a way that helps them to grow in today’s privacy-savvy culture.
Today, we’ll talk about why the new California legislation could impact your business wherever you are in the world, and offer our expert insights on what you might need to do to ensure long-term compliance.
However, before we get to that, let’s first answer the one question that’s most on your mind:
What is the California Consumer Protection Act 2018?
Signed into law on June 28th, 2018, the CCPA takes its cues directly from GDPR, giving Californians many of the same rights as those laid out in the EU-wide directive. Putting the new bill together, lawmakers wrote:
“California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information”.
“It is possible for businesses both to respect consumers’ privacy and provide a high-level transparency to their business practices.”
To ensure that businesses are both transparent and respectful when it comes to consumer privacy, the new act gives those consumers the right to request that a business discloses the following key details
“The categories and specific types of personally identifiable information that it has collected about them.
The types of sources it has used to collect that information.
The reasons why it has collected that information, whether that’s to use it for business purposes or sell it onto a third party.
The categories of third parties that the information will be shared with.
What else does the CCPA say?
Along with making it a requirement to meet those data requests at no cost to the individual, the new law gives businesses several other obligations These include:
Informing people about the categories of personally identifiable information being collected and the purposes that the information will be used before that data is collected or, at the very least, at the point of collection.
Provide the same levels of service and pricing to individuals who exercise their privacy rights.
Being sure not to sell on personal information if an individual has said no to this.
Does CCPA Apply to My Business?
Contrary to what some believe, the California Consumer Privacy Act doesn’t just apply to those businesses based within California. Rather, any business with customers in California can be affected if that business meets the following three criteria:
The business has annual gross revenues which total at least £25 million
For commercial purposes, the business either buys, receives, sells or shares the personal information of at least 50,000 consumers, households or devices.
Businesses who generate at least 50% of their annual revenues from selling the personal information of consumers.
This includes those businesses who are based in other US states, or even in other countries.
The immediate and long-term impact of CCPA
So, with all that being said, how exactly does CCPA affect your business? The most obvious answer is this:
If your business meets any of the above criteria, then you’ll need to be sure you’re fully prepared and fully equipped to deal with the deluge of data requests likely to come your way.
Most experts predict that Californians are going to be quick off the mark when it comes to exercising their new privacy rights. Requests are likely to come in two forms: Those from citizens who want to know what types of data you hold on them. Those from citizens who want to exercise what is often known as “the right to be forgotten” and have the data you hold about them deleted.
So if you don’t yet have a system in place to respond to those requests, now is the time to start putting one in place. Before you start panicking, however, here’s the good news.
CCPA doesn’t come into effect until January 1st, 2020.
At time of writing, that gives affected businesses a little over a 8 months to get ready. But what about those businesses not immediately impacted by CCPA? What happens if you don’t have customers in California?
Does that mean you can forget all about data protection and carry on as normal? Not quite.
Here’s the thing:
The California Consumer Protection Act of 2018 is only beginning of a widespread shift in privacy culture. Yes, California may be the first US state to adopt a GDPR-like approach to consumer privacy, but they certainly won’t be the last. Georgia has already started working on new privacy laws, and many other US states are expected to follow suit.
In other words, by the first half of the next decade, we should well expect to see GDPR-style regulations become the norm across the United States as well as other non-US and non-EU countries.
So, even if you’re not immediately impacted by CCPA, you’ll still find it beneficial to make changes now and avoid getting caught out when new laws do start to affect you.
How GDPR Compliance Can Help You Prepare for CCPA
Of course, all this begs one very important question: What does your business have to do to get ready for the arrival of CCPA or other privacy regulations that could be implemented in the coming years?
In many cases, the changes you need to make to your systems, processes, or culture as a whole may be minimal, especially if you’ve already taken the necessary steps to ensure you’re fully compliant with the General Data protection Regulation. Remember, CCPA is directly influenced by GDPR just as most new privacy laws are expected to be in the future. So, if you’ve taken the necessary steps as outlined in our GDPR compliance assessment you may well find that you’re already well on your way to CCPA compliance
If not, don’t worry: Help is at hand.
At Relentless Privacy & Compliance we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws.
From training and consultancy that empowers your employees with the skills and know-how they need to protect your customers’ private information to hands-on support with developing the kind of secure, effective data protection processes that enable your business to thrive in the digital economy, we offer bespoke services tailored to help you achieve your long-term goals.
See our comprehensive CCPA Service to see how we can help you prepare for and achieve CCPA compliance