SPOKES Virtual Privacy Conference Winter 2022

Register for Free

Blog

  • Regulations

Step One for Subject Rights Requests: Verification and Authentication

Sara is the Data Privacy Officer (DPO) at a large retail company. She’s the first to admit she’s still figuring out the implications of the California Consumer Protect Act (CCPA). And the clock is ticking.

CCPA gives consumers rights to access, delete, correct and move the data that Sara’s company collects about them. CCPA is the first major U.S. state law designed to increase transparency about how companies collect, process, share and sell personal information.

When the European Union General Data Protection Regulation (GDPR) required that companies handling consumer information employ a DPO, Sara was tapped by her company’s CISO to take on that role. She got her feet wet in data privacy management with GDPR and handles Data Subject Access Requests (DSARs) through manual processes, relying on email questionnaires and Excel spreadsheets. The real floodgates will open in January 2020, when Sara expects to receive thousands of Subject Rights Requests (SRRs) from California consumers asking to access, delete, correct or move the data that the company has collected about them.

Let’s take a closer look at what Sara is dealing with.

To Process Requests, Sara Must First Verify and Authenticate Them

Sara needs to ensure that SRRs her company receives are legitimate and coming from the appropriate person – in other words, confirming that they are who they say they are.

  • Verification: making sure any asset a user provides, such as a document or email address, is legitimate
  • Authentication: making sure that asset is tied specifically to that individual

When her company receives a consumer’s SRR, how does Sara know that the request is really coming from that person?

  • Best-case scenario: the consumer already has an online account with the company and Sara can verify their identity using their existing login information.
  • Worst-case scenario: the person isn’t even a customer. Sara needs more information about the person to fulfill the SRR. But the law says she can’t collect more information than she already has. Policymakers want to ensure that a company can’t benefit from the consumer’s SSR. If your company has zero information on that person, you’re in a catch-22 situation.

Between the best-case scenario – the requestor is customer who has an online account – and the worst-case scenario – they aren’t a customer and you can’t identify them – is another huge abyss of murky SRRs: consumers may not be making the requests themselves.

Sara is thinking:

  • How do I know the requestor is really the parent of a minor child as they claim?
  • What if this is an estranged spouse trying to track down their partner?
  • Is this a watchdog group checking to see how I respond to SRRs?
  • Am I going to expose information to a hacker?

A large-scale cyber attack could involve thousands of SRRs inundating your system with fraudulent assets in an attempt to steal consumers’ personal data. Or it could be one individual waging a personal vendetta against a family member or (former) friend.

The complexity of verifying and authenticating SRRs is a looming headache for businesses like Sara’s. Simply operationalizing a process involving such a large amount of data is daunting. Many businesses aren’t prepared to scale their data privacy management for CCPA, nor are they prepared to achieve the high level of collaboration and transparency required across different functions for prompt response to SSRs.

And Then There’s the Risk of Violations and Lawsuits.

What happens if you don’t respond to an SRR? Maybe you don’t have the processes in place yet, or maybe you just choose to ignore the SRRs. If you’re found in violation of CCPA, your company will be subject to fines. Under CCPA, fines are enforced by the Attorney General and can reach up to $7,500 per every violation (in the case of intentional violations). Non-intentional violations are subject to a $2,500 maximum fine.

The fines are harsh, but probably won’t put your company out of business. A data breach, on the other hand, could have a much larger impact. A data breach occurs when your company gives data to the wrong person, regardless of whether it was intentional or accidental. Breach investigations can uncover various types of data misuse – a red flag for regulators and fodder for class action lawsuits. This type of liability can be much more costly than fines.

The good intentions of the CCPA open up a can of privacy worms, especially for B2C companies like Sara’s.

What’s Sara to do?

Take Action Now

A third-party can provide a “Goldilocks” solution to remove the burden of verification and authentication. As a third-party provider, WireWheel helps verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.

By solving the twin challenges of verification and authentication, Wirewheel can lift a monumental worry from the shoulders of B2C companies. In our upcoming blogs we will explore how Wirewheel’s data privacy management platform also helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs.

If you’d like to learn more about CCPA and SRRs, check out the eBook, 5 Keys to Managing Subject Rights Requests.

  • Regulations

You Don’t Have to Boil the Ocean to Achieve Privacy Compliance

When GDPR mandated Privacy Impact Assessments (PIA), lawmakers had the best of intentions. They wanted companies to understand how personal data is used in their business process. And, they wanted to see demonstrable proof – a tangible output – of privacy practices. Admirable in theory. But unworkable in practice.

GDPR’s PIA Focus Asked You to “Boil the Ocean”

Without clear definitions of “business processes” the scope of GDPR’s PIA challenge was beyond belief for many companies. To meet the requirement, they struggled to identify every system in their organization that contained personal data, including their enterprise tech stack and shadow IT.

Then, they set out to create a PIA for each one. Microsoft created 41,000 PIAs. Even a mid-sized company drowned in paperwork.

When everything is equal, you have to find everything. Everyone has a different opinion of where to start and there’s no end in sight.

CCPA’s Customer-First Approach Drives Prioritization

Now that companies are turning attention to the requirements of CCPA, the conversation has changed. We’ve seen a fundamental difference in the way they approach privacy management.

CCPA has no PIA requirement. There’s no need to create thousands of documents detailing every system and process across your organization.

Instead, CCPA’s primary focus is Subject Rights Requests (SSR), the right of a customer to request, change, or remove their personal information from your data stores. This approach puts the priority for managing personal data where it should be: creating trust with your customers.

Working backwards from the goal of processing a timely, accurate and clear SRR, you can focus on tech systems that directly impact customer data and communications:

  • CRM systems like Salesforce
  • Marketing and advertising systems
  • Product usage data
  • Technical support systems
  • Billing systems
  • ERP systems
  • Customer communities
  • Systems that provide customer data to you
  • Third parties that process downstream data you provide

Once you’ve identified and categorized customer data throughout your data supply chain, you can ensure you have the capabilities to confirm and fulfill a customer’s data access request securely.

Our customers are saving thousands of hours spinning their wheels by prioritizing this way. They also reduce their risk more quickly by making sure they’re prepared for an influx of SSRs in 2020.

By the way, this customer-first approach isn’t limited to those preparing for CCPA. Companies collecting and processing European residents’ data are also using this method to knock out 70-80% of the work they’d need to do to produce GDPR’s PIAs. After starting with systems that touch customers, they can then move on systems that process employee and operational data.

Learn More about WireWheel’s SRR Solution

You don’t need to boil the ocean to manage data privacy. Let’s talk about how you can achieve compliance, reduce risk, and build customer trust with WireWheel’s prioritized approach.

  • Regulations

Rising to the Challenge of Subject Rights Requests

Data privacy laws give people rights to access, delete, correct and move the data businesses collect about them. Consumers assert their own privacy rights by submitting a data subject access request (DSAR) directly to the organization that collected or processed their data. Businesses are required to follow the DSAR procedure promptly addressing their data requests without placing an undue burden on consumers.

What they don’t say is exactly how businesses should go about managing consumer data requests efficiently and accurately. In fact, in our recent roundtable privacy expert Dan Solove said that lack of clarity on this issue is one of the major stumbling blocks in operationalizing CCPA.

Need help with CCPA or GDPR DSAR? WireWheel SRR Software can help!

In this post we’ll outline the challenges businesses face handling data requests and detail a five-step process to manage them at scale to get closer to DSAR compliance. This is the first in a series of posts about this complex and important issue, so stay tuned!

First, some definitions.

What makes DSAR, VCR, and SRR and the Other Data Request Acronyms so Confusing?

Data privacy terminology can be riddled with jargon and swimming in acronym soup. Take Data Subject Access Request (DSAR), Verifiable Consumer Request (VCR) and Subject Rights Requests (SRR). Are they the same, or just similar?

DSAR, VCR, SRR and other acronyms we’re going to talk about are related to the same thing: managing requests regarding consumer data. Some terms you’ll hear with respect to the request process are tied to specific privacy regulations and indicate different requirements. For example, GDPR uses the term Data Subject Access Requests (DSAR), as in GDPR-speak, a “data subject” is any person whose personal data is being collected, held or processed and that includes your employees. CCPA, on the other hand, uses the term Verifiable Consumer Request (VCR) and doesn’t include employees. You may also hear the terms Subject Access Request (SAR) or Individual Rights Request (IRR).

We prefer the term Subject Rights Request (SRR) because it covers all scenarios above, regardless of specific regulatory requirements. Subject Rights Request is the term we use within WireWheel because our data privacy platform allows you to address requests whether you’re working to comply with GDPR, CCPA or any other privacy law that evolves.

Whatever you want to call them, these data requests present a major challenge for many businesses in their quest to become DSAR compliant.

The More Consumer Data You Collect, the Greater the Challenge

Your level of effort and exposure to risk related to Subject Rights Requests depends on the type of business you run. B2B companies receive very few Subject Rights Requests. If you’re in a commercial relationship with B2B customers, you likely have a Master Services Agreement in place that covers data privacy requirements and allows them to access or remove their data whenever they want. To satisfy regulators, you simply need to show you have a basic, accessible SRR process set up.

For B2C companies, however, the scope of Subject Rights Requests and the associated risk are sky high.

WireWheel’s consumer-focused customers are currently receiving tens of thousands of SRRs each year and anticipate receiving millions as more regulations take hold and awareness increases for DSAR policies.

OYCWith the power of modern marketing technology, B2C companies are tracking tons of data about known customers, prospective customers AND unknown users. Data stores are a mix of first-party data from different business units and acquired companies, as well as behavioral insights, purchased data, and other third-party data that could fall under the requirements for SRRs.

For a B2C company, handling Subject Rights Requests can become very costly. Your privacy and IT teams spend valuable resources fulfilling data requests instead of focusing on priority projects. Your company can be penalized by regulatory bodies if you can’t demonstrate a well-executed SRR process. In the worst-case scenario, mistakes in the SRR process – even unintentional ones – can cause a data breach, which will exponentially increase your liability.

How Can You Operationalize Subject Rights Requests?

The more efficiently you manage Subject Rights Requests, the better the privacy experience will be for your customers, the easier the effort will be for your internal team, and the more likely you are to meet expectations of auditors and regulators who are checking for DSAR compliance.

Before you can optimize an SRR process, you must first allow people to register a Subject Rights Request. You can offer this option on an external-facing privacy page to show customers and regulators that you’re doing the right thing with data. Your privacy page can also be turned into a portal to enable two-way communication with customers.

Let’s walk through the steps you need to take to build an efficient, compliant SRR.

Step 1. Verify and Authenticate

If you receive a request for information regarding a person’s data, you need to be sure the person asking for it is who they say they are. If your customers already have password-protected accounts, you can require them to log in to your privacy portal so you can confidently match the person making the request to a specific individual.

But, if a Subject Rights Request comes from an unknown user, the situation is not so simple. To make this step even more challenging, you aren’t allowed to ask for any additional personal information from the consumer than what you’ve already got. This is where a third-party can provide verification and authentication to remove the burden.

Step 2. Set up Ticketing to Process Requests

Managing a large volume of Subject Rights Requests is a team sport. You’ll need to assign requests, or parts of requests, to different people and keep track of each task as the request progresses through your workflow.

Step 3. Collect Data to Address Requests

To identify customer data related to a request, your systems and team members need to look into multiple data stores – customer databases, marketing databases, product databases, etc. The faster you can query your data stores automatically, the easier the SRR process will be.

When you get a deletion request, you should make every effort to remove that individual’s data from all the places where it’s being stored and processed. Make sure you have a way to prevent the reappearance of data about an individual who is opting out of your service.

Step 4. Deliver Information Securely to Customers

The way you provide information in response to requests is another part of the SRR process you must handle with care to avoid a data breach. Only the sender of a request should be able to receive the data in return. Passing information via email may expose you to a data breach, which, as we’ve discussed, dramatically increases your liability. Therefore, you should make sure that consumer information is sent securely, encrypted at rest and in-transit, all the way from request to delivery.

Step 5. Document Your Process for Tracking, Reviewing and Approving Requests

You can demonstrate compliance with privacy laws by recording all communications, reviews, and approvals that are part of your SRR process. Maintain complete audit trails of all the requests you receive and actions you take so that when an auditor asks, you have them at the ready.

How WireWheel Can Help

WireWheel’s consumer-facing DSAR portal gives you the capability to receive Subject Rights Requests, whether requesters are known customers or unknown individuals. Our data privacy management platform helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs and stay within DSAR compliance.

Most importantly, WireWheel solves the twin challenges of verification and authentication in the DSAR process. As a third-party provider, WireWheel helps you verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.

We’d love to show you how WireWheel enables Subject Rights Requests. Get in touch for a personalized demonstration of our DSAR software.

  • Analyst
  • Company

Gartner Says We Are a Cool Vendor in Privacy Management!

We claim to be a lot of things, but we would never claim to be cool. Like all truly cool things, that should be left to the rest of the world to judge……. and they just did. Gartner just named WireWheel a Cool Vendor in their April 2019 Cool Vendors in Privacy Management report!! And, while it may not recognize us as being cool in the ‘hip and trendy’ sense of the word, Gartner thinks the vendors in this report are cool because of their innovative approach “to boost privacy management program maturity, enhance insights into data-processing activities and detail regulatory compliance, and streamline personal data usage by parameterization of “what is allowed”. Coming on the back of WireWheel’s nomination as a top ten finalist at this year’s RSA Innovation Sandbox Awards (Watch the 3-min video), we couldn’t be more proud.

I want to highlight and comment on a few things that Gartner raises in the report about the privacy management space in general:

Gartner Prediction:

“By 2021, more than 60% of large organizations will have a privacy management program fully integrated into the business.”

This is reassuring to see; we didn’t know the actual number, but this aligns with what we are seeing in the market – more and more companies treating privacy as a first-class citizen. Not just as a stand-alone compliance function, but as a way of orchestrating the activities of the entire organization around ‘doing the right thing’ with personal data. To do that, it must be integrated across the business.

Gartner Observation:

“By treating privacy as more than a compliance issue, maturing organizations are able to position and use privacy as a business opportunity.”

We couldn’t agree more. There is a growing population of consumers and employees who only want to do business with companies they trust. That makes privacy management a strategic and competitive differentiator not just a risk mitigation tool. Many of our customers have growing Data Ethics teams, not just compliance functions – data ethics raises privacy management to a higher level of ‘doing the right thing’ not just doing what the law(s) say(s).

Gartner Recommendation:

“Increase customer trust by creating a smooth and direct privacy user experience by prioritizing automation and self-service capabilities over manual processes and reducing manual workforce pressure.”

Yes, yes and yes! We are investing heavily in not just allowing our customers to understand, improve and communicate their privacy policies better, but to actively engage their customers and employees in intuitive processes that automate the communication of what their own data is being used for and automate the execution of their preferences and consents i.e. what should be done with that data.

WireWheel was described as being a ‘Privacy API’ for the organization, allowing data to be surfaced from disparate systems, processes and functions into a common privacy context. This allows us to engage with CISOs who have an active role to play in ensuring underlying systems are handling personal data correctly, in addition to the privacy office that is managing the core programs.

All of that being said, we all agree that there are challenges ahead in this market. This is something that we at WireWheel never shy away from. For those of you that have been in sales meetings with the team, you will always hear us say that “we haven’t figured it all out yet”. Our philosophy is one of partnering and rapid evolution, so that we get it right for them and we evolve as the market, best practice and regulations mature.


Disclaimer

Gartner, Cool Vendors in Privacy Management, Bart Willemsen et al., April 19, 2019

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  • CCPA & CPRA
  • Regulations
  • Uncategorized

Am I My Device? According to CCPA, Yes

When the alarm wakes me up, I reach for my mobile phone and check email. Next, I strap on my smartwatch. Over breakfast, I read the news on my tablet while Alexa plays some tunes. I join a conference call while driving to work and spend much of the day on my laptop. When I return home, the thermostat adjusts to my presence while I check out what my FireTV recorded.

Sound familiar? Almost 20% of Americans are just as hyperconnected, meaning they live in a household with 10 or more connected devices. The median household contains five, according to the Pew Research Center. In each one, multiple computers, shared media, work devices, and personal devices are constantly collecting and aggregating data.

How Will CCPA Treat Data Collected by Devices?

Understanding the nexus of individuals and the various devices they use will be key to preparing to meet operational requirements of the new California Consumer Protection Act (CCPA). As the Internet of Things (IoT) brings more connected devices into our lives, more personal data will be collected and aggregated.

CCPA is designed to increase transparency about how companies collect, process, share and sell personal information. Under CCPA, “personal information” is defined to mean, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Let’s Unpack that Wording to Explore How CCPA Takes Devices into Account.

Each phrase within the definition above sparks questions the California Attorney General will need to address in order to determine if companies adhere to the letter – and the spirit – of the law.

  • The inclusion of “household” data stretches the concept of personal information and requires clarification. Sure, my personal phone and smartwatch are tied to me. But, streaming and shopping services could be related to a household. And, what about a work-issued cell phone that may be used on a temporary basis? In their inventory and classification schema, companies will need to consider how data may be tied to an individual, device and/or household.
  • Relates to” is potentially all-encompassing. Companies may need to widen the net to collect more information in their data inventory. Personal information may include not only “objective” information (e.g. social security numbers, credit scores, the presence of a certain substance in one’s blood) but also “subjective” information (e.g. opinions, assessments, preferences indicated by online behavior). CCPA includes “audio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly impacts a number of IoT devices.
  • Technical identifiers,” which includes things like connected devices, IP addresses, and network activity, are recognized as potentially PI and need to be classified in a company’s data inventory.
  • Inferred data” can become PI when linked or aggregated with other data. Using the online advertising ecosystem as an example, CCPA obligations apply to much of the information collected and used by marketing automation systems, website publishers, ad buying and selling platforms, and other technologies which businesses in the online ecosystem use to target customers.
  • All sorts of information is “capable of being associated with” an individual. Even if a business is currently not aggregating data, it may in the future. Companies will need to decide how they will inventory and disclose information that may require analysis (e.g. data about the functioning of a device where human intervention is required). The key unanswered question is what kind of diligence will be expected for a company to identify, classify and analyze data for its intended – or potential – purpose.

A “Living” Law Built to Evolve as Technologies Change

In our recent CCPA roundtable discussion, data privacy advocate Alastair Mactaggart explained why the authors intentionally left so much room for interpretation. As he points out, past privacy regulations became out-of-date quickly because they couldn’t keep pace with changing technologies and data processes. Data privacy discussions even five years ago didn’t anticipate the proliferation of data-consuming IoT devices that surround us today, both at home and at work.

In contrast, CCPA has been called a “living law.” The goal is to continue to protect consumer privacy and enable people to control what happens to their data, even as more devices are invented and data analysis becomes more sophisticated.

To keep pace, companies need to develop data privacy programs with the flexibility to identify and classify both people and their devices. They need to anticipate potential future uses of data they collect and prepare to share that information with consumers.

Preparing for Operational Challenges of CCPA?

Get started with the Ultimate Guide to California’s Data Privacy Law.

  • Regulations

What “State of the Art” in IT Security Will Satisfy European Regulators?

WireWheel is adding to our stable of experts on privacy! We’re excited to have Gabriela join us as a regular contributor on deeper technical topics.

The European Agency for Network and Information Security (ENISA) and the German IT Security Association (TeleTrusT) recently published comprehensive guidelines describing what is the “State of the art in IT security” (Guidelines), an important factor to take into account for compliance with data security obligations under the General Data Protection Regulation (GDPR). These Guidelines provide much-needed clarity around this otherwise vague concept by defining it and listing actual technical and organizational measures considered to be “state of the art”.

One of the biggest changes brought by the GDPR in May 2018 was recognizing the importance of accountability for data protection compliance. Organizations are expected to act as trusted “data keepers” and proactively take steps to account for every personal data item that enters their care. The GDPR enshrines several obligations that contribute to accountability, including an obligation in Article 32 for organizations to implement “technical and organizational measures to ensure a level of security appropriate to the risk”, taking into account “the state of the art” in IT security. Non-compliance with Article 32 can lead to administrative fines up to € 10 million or up to 2% of the global annual turnover of the organization for the preceding year.

But What Does “State of the Art” Mean in This Context?

As a piece of legislation that intends to be technically neutral, the GDPR does not itself establish what is the state of the art of IT security. This is good news, since both technology and security threats constantly evolve. However, organizations whose activity falls under the GDPR still need to figure out what it means, since it represents a presumably objective indicator of the robustness of their security program, and, hence, their compliance with Article 32. Data Protection Supervisory Authorities, like the UK ICO and the French CNIL, also refer in their data security guidelines to this concept, but without defining it.

This is where the ENISA – TeleTrusT Guidelines step in and fill the gap, even if they are meant to support compliance with both the GDPR and the 2015 German IT Security Act (therefore, they also refer to some specific obligations of the German law).

First of all, the Guidelines explain that, in general, “state of the art” of technology is a concept “situated between the more innovative existing scientific knowledge and research technology level and the more established generally accepted rules of technology level”, and it must be “independently measurable”. The Guidelines define “state of the art” as “the procedures, equipment or operating methods available in the trade in goods and services for which the application thereof is most effective in achieving the respective legal protection objectives”. But most of the Guidelines’ value actually rests in identifying specific technical and organizational measures which can be considered “state of the art” for 2019.

Under technical measures, the authors of the Guidelines catalog state of the art security measures for many operations, including but not limited to server hardening, password strength assessment, multi-factor authentication, encryption of files and folders, securing electronic data communications with a Public Key Infrastructure (PKI), cloud-based data exchange, network monitoring using Intrusion Detection System, web traffic protection and remote network access and maintenance. For each of the cataloged operation they also look at known security threats and they explain the protection objective covered by the measure, like availability, integrity, confidentiality or authenticity.

For example, with regard to cloud-based data exchange, the most common threats identified are unauthorized access and inspection by the operator of the service; hacking by third parties while the data is transported through the internet; and theft or unauthorized use of the identity that was agreed on with the cloud service. To prevent such risks from happening, the appropriate measures identified are:

  • encrypted transmission of files to and from the data exchange service;
  • client-side, end-to-end encryption of data for the recipient prior to transfer to the cloud, either through encryption integrated into the data exchange service in the client software that is part of the cloud, or through separate client end-to-end encryption software.

As for organizational measures, the Guidelines make clear that having security measures in place, even if they are “state of the art”, will not actually achieve data security without staffing measures and a system of methods, procedures and rules for managing corporate information security. These rules should be adopted and systemized within an Information Security Management System, which should also include “methods for regular inspection and documentation of organizational and technical changes”. The Guidelines identify what are considered state of the art internal processes to achieve data security, such as security organization (establishing a management framework), requirements management (legal, contractual or other types of requirements), or knowledge and competency management.

The authors even draw a map of security specific roles that can be attributed within an organization and list their main responsibilities, from upper management (who has strategic responsibility), to the Chief Information Security Officer, Information Security Officers, the Information Security Management team/Security steering committee, to the Audit Manager. As for the Data Protection Officer, the authors highlight that this role “should not necessarily be seen as part of IS management team, but instead as an important contact in matters regarding compliance, ideally regularly involved in the IS management process”.

Will Following These Guidelines Satisfy European Regulators Enforcing the GDPRThat an Organization Is Using “State of the Art” It Security?

This could be the case, considering that they are backed by an authoritative voice of European network security, ENISA. The Guidelines certainly provide for a solid baseline, especially in the absence of advice from DPAs. However, organizations always need to pay attention to the specific guidance issued by their Lead DPA, if they have one, or by the DPAs whose jurisdictions cover the organizations’ activity. It is notable, though, that the European Data Protection Board did not include any guidance on data security or Article 32 GDPR in its recently published busy work program for 2019-2020. In the absence of harmonized advice on state of the art security from the DPAs, reports issued or endorsed by ENISA will be the closest available resource to follow at European level.

Here is a list of further resources that can be helpful for identifying the “state of the art” in IT security for GDPR compliance purposes:

  • Regulations

How Are Personal Data and Consumer Rights Defined in the California Consumer Privacy Act (CCPA)

How are personal data and consumer rights defined in the California Consumer Privacy Act (CCPA)?

Privacy concerns have entered the mainstream. High-profile data breaches and news of companies selling data has caused consumers and regulators to ask questions and demand answers. New data privacy laws are designed to protect personal data and put power back into the hands of the consumer.

Chief among the new laws is the California Consumer Privacy Act (CCPA). Born from a consumer-driven ballot initiative to protect personal data privacy, CCPA will go into effect January 2020. With California the fifth largest economy in the world, CCPA is influencing the privacy landscape across the United States. That’s why it’s important to understand how consumer rights and personal data are defined under CCPA, and how businesses will be affected.

What’s Shaking Consumer Trust?

In the first few months of 2019 alone, several stories came to light regarding companies selling customers’ location data to third-party service providers, including AT&T, which announced upon discovery that it would terminate all location-sharing agreements. Other mobile service providers followed suit. IBM’s Weather Channel app is also under scrutiny following a lawsuit by the city of Los Angeles, claiming that it tracks users “throughout the day and night” to sell their personal location data to advertisers, retailers and hedge funds.

Data breach investigations are also threatening to business integrity. Chances are high that a company will experience a data breach of some sort. In fact, according to the Ponemon Institute, businesses are more likely to suffer a data breach of at least 10,000 records than an individual is to catch the flu this winter. If a data breach becomes public, suddenly a light will be shined on a business’s data privacy practices, triggering a closer look by regulators.

Key Definitions in CCPA

The California legislature rushed to draft and pass CCPA, primarily because it is easier to amend than a law enacted via the state’s initiative process. But the fast-tracked process produced a law with confusing and contradictory language that leaves many details unexplained or open for interpretation. Therefore, it’s important to have a grasp of consumer rights outlined by CCPA, what is classified as “personal data” and how it applies to a business.

“Personal data” as defined under CCPA is much broader than one would think, extending beyond the conventional names, addresses, emails, phone numbers, license and social security numbers to include biometric data, IP addresses, geolocation data, online aliases, employment and education information, purchasing history, internet activity (e.g. browsing and search history, web tracking data) and any “inferences drawn” from this data.

CCPA Introduces the Following Rights for Consumers Regarding Such Personal Data:

  • Right to know all personal data collected by a business;
  • Right to say no to the sale of personal data Right to delete personal data;
  • Right to be informed of what categories of personal data will be collected prior to its collection, and to be informed of any changes to this collection;
  • Mandated opt-in before sale of children’s information (under the age of 16);
  • Right to know categories of third parties with whom personal data is shared;
  • Right to know categories of sources of information from whom personal data is acquired;
  • Right to know the business or commercial purpose of collecting personal information;
  • Private right of action when companies breach personal data.

Impact of CCPA

Any breach of these rights under CCPA will result in hefty fines enforced by the Attorney General that can reach up to $7,500 per intentional violation and up to $2,500 for non-intentional violations. Affected consumers also have the right to take individual or class action lawsuits against offending businesses. With damages ranging between $100 and $750 per violation, costs could escalate quickly. A data privacy lawsuit could easily put a small-sized company out of business. On the other hand, demonstrating commitment to CCPA and data privacy overall will become a competitive advantage that fosters trust with your customers.

To understand how CCPA will impact your company’s data privacy strategy, download our eBook, The Ultimate Guide to Calfornia’s Data Privacy Law.

  • Company

The Roots of WireWheel

Over the past five years, we have seen real urgency develop worldwide around the topic of privacy – and the story starts and ends with people.

Why? Because most people didn’t – and still don’t – believe they are in control of their own information. Individuals, advocacy groups, legislators and technologists began demanding change – and governments have started to take action.

Organizations, too, have started to take privacy seriously and to charge technical teams, security teams, and compliance teams with the job of protecting information and establishing trust.

But, if protecting privacy is now part of your job, it might seem like a nearly impossible task. The information necessary to protect privacy is either buried in your technical stack, or in the minds of people all over your organization and your wider network of partners, vendors, consultants and advisors. You often have to tackle this with limited time, limited resources, and the threat of significant fines hanging over your head.

We founded WireWheel because organizations needed a different approach to tackling privacy. Our vision is based on two main principles:

  • First, it takes people to protect privacy. Technology alone will not help organizations ensure they are doing the right thing with personal information.
  • Second, privacy management technology needs to leverage what organizations have already purchased and translate it for their privacy teams. By enabling privacy teams to understand technical stacks, they can tackle privacy protection, and CTOs and CISOs no longer have to answer the same privacy questionnaires over and over again.

Momentum for achieving privacy excellence is building. A year into this endeavor, we are thrilled to be selected as one of RSA’s 10 Innovation Sandbox Finalists.

I can’t wait to build the next phase of WireWheel.

Behind the Scenes of Privacy and Trade Negotiations

I had the honor of representing the United States around the world on privacy during the Obama Administration, and it started when I came into the Administration after the “Snowden Disclosures” in 2013. Around the world, governments needed assurance that the U.S. respected personal information, and European lawmakers even suggested that they should stop European data transfers to the U.S.

Governments around the world also started arguing that there was an unfair playing field for their organizations, claiming that they had to follow strict privacy rules, while U.S. organizations did not.

We realized at that time that organizations would need a better way to tackle privacy. Without better solutions, governments could use domestically based privacy laws to drive digital trade and data storage to be localized in their own countries. For example, if startups did not have better privacy technology, they would not be able to compete on the world stage.

The Answer: Data Protection-as-a-Service

We built WireWheel to empower organizations to be diligent caretakers of the digital footprints people leave behind in everything they do. And, the WireWheel Privacy Management Platform does this by simplifying, structuring, and automating privacy programs.

WireWheel simplifies privacy by focusing privacy teams on the four central pillars of privacy protection that applies to any law, including GDPR, CCPA or any future Internet Bill of Rights:

These four central questions are:

  • What personal data are you collecting or observing?
  • Where are you storing that personal data?
  • Where are you processing that personal data?
  • With whom are you sharing that personal data, and for what purpose?

WireWheel then structures and automates your privacy program to efficiently collect the critical information from the systems and people around your organization and vendor networks.

The platform is centered around three modules:

  • WireWheel’s unique tasking and project management engine helps organizations stand up and manage privacy programs at scale. WireWheel includes frameworks and pre-configured workflows to easily manage and maintain a comprehensive privacy program.
  • WireWheel translates your existing technologies to make them usable for your privacy teams. For example, plug in your infrastructure-as-a-service (IaaS) or data stores, and WireWheel can automatically spot data stores, processing, and personal data. In this way, you can think of WireWheel as the interface that translates your existing technologies into something that is really usable by your non-technical privacy teams.
  • WireWheel includes a “Privacy Studio,” that allows your privacy teams to build internal and external resources focused around privacy. And, the Privacy Studio integrates with WireWheel APIs to automate customer preference centers for preference management and customer data access, deletion, correction and portability.

With a single pane of glass, privacy and security teams now can create critical data and business process maps to make collaborative, informed decisions.

In this way, the WireWheel platform supports all phases of a global privacy management and compliance program including data inventories, privacy and data protection assessments, vendor risk management, “data subject” or customer data access, deletion, correction, and portability requests, and more.

And we have priced WireWheel’s platform to enable organizations of all sizes to get the benefit of our platform.

Enhancing the Privacy Experience

As WireWheel has grown we’ve brought on a team of privacy, cyber security and technology experts who have been in the trenches of managing privacy and IT programs. Key customers such as Under Armour and BlackBoard have provided critical feedback to make sure our solution matches their business needs.

In every development discussion we have, we focus on the privacy experience for our customers, ensuring that our technology is really usable by non-technical privacy leaders. The concept that “It Takes People to Protect Privacy,” has imbued our product development, hiring decisions and organizational culture.

At the end of the day, we ultimately believe that people will protect privacy, that organizations will help build trust, and people will get back in charge of their information.

And these movements, we hope, will be driven in part by WireWheel.