Tag Archives: GDPR

Immediate Vault Immediate Access

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Posted on by

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.

3 Tips for CCPA Enforcement During COVID-19

Posted on by

As we move into the second half of 2020 and the California Consumer Privacy Act (CCPA) is officially enforced, we are also in the midst of a global crisis that was not properly on the radar when the regulation was enacted in January. Organizations are now being tasked with CCPA compliance in an unexpected remote work environment, with more personal data available online than ever before. And some organizations have the added privacy challenge of contact tracing practices or applications being used internally to monitor employee health.

Even in the remote work environment, relevant companies must ensure that they are informing customers and staff about what data they are collecting, options for which personal details are being gathered, the right to say no and opt out of data collection, the right to request deletion of their information, and equal pricing despite their privacy selections.

Many businesses are still struggling to implement these guidelines and are attempting to avoid significant penalties, all while meeting uptime demands. Below are some tips from security and technology industry experts for the best ways to implement CCPA compliance:

Rely on Data Privacy Regulation Experts 

There is increasing uncertainty around many businesses’ futures, and therefore, it is critical to turn to data privacy regulation experts for advice, guidance and technological support. 

“With exponential amounts of enterprise data only increasing, ensuring data privacy involves layered, complex challenges for any business. From a cloud hosting perspective, meeting evolving compliance and privacy regulations, such as the CCPA law which is just beginning to be enforced, is one of those layers. One of the most important steps organizations can take to guarantee they are on the right path towards compliance is to rely on hosting providers that have teams experienced with privacy law regulations,” said Lex Boost, CEO of Leaseweb USA.  

While it may be tempting to rely on internal teams during the economic downturn, employee burnout in already resource-strapped IT and security teams could cost the companies more in talent loss and potential breaches/fines. Thus, companies should evaluate external providers.

Boost also said, “These providers can guide the process needed to guarantee data is managed within current and upcoming privacy regulations, allowing organizations to focus on maximizing data usage and the experience for their customers.”

Have the Right Cybersecurity Measures in Place 

Proper cybersecurity measures are often major components for achieving compliance with a variety of regulations, but especially the CCPA, which is focused on protecting sensitive data and users’ privacy rights. With major hacks making recent headlines at companies like Twitter, and ransomware attacks that threaten to exfiltrate and leak private data on the rise, companies should be on high alert.

“Nobody is safe from an attack leaking personal information, and it’s absolutely essential that correct cyber measures are in place to secure privileged accounts, in particular, as thoroughly as possible. With more information online and spread out than ever before, hackers not only have the ability to scam people, but also undoubtedly have access to private messages, security information, and other personal data,” said Torsten George, cybersecurity evangelist at Centrify.  

On top of increasing breach risks, many companies’ distributed workforces are making security preparedness even more complex. But there are solutions, according to George: “To protect organizations during this transitional remote working phase and the implementation of CCPA, it’s imperative to provide your IT administration teams, outsourced IT, and third-party vendors with secure, granular access to critical infrastructure resources regardless of location and without the hassles of a virtual private network (VPN). Privileged access management solutions can both maintain compliance and enable secure remote access to on-premises and cloud-based infrastructures, securing all administrative access with risk-aware, multi-factor authentication (MFA), and maintaining the level of compliance CCPA requires.”

Look Toward the Future 

The CCPA currently protects Californian’s privacy rights, but many legal and security experts think this could inspire a similar regulation at the federal level if it is successful.

“The CCPA is the first law of its kind in the United States, and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country. The passage of a cohesive U.S. federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support, and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation,” said Wendy Foote, senior contracts manager at WhiteHat Security.

Foote also advised, “With a new class of representatives sworn into Congress in 2019 and the CCPA effectively putting a deadline on the debate and officially being enforced in July, there may finally be a national resolution to the U.S. consumer data privacy problem. However, the likelihood of it passing in the very near future is slim. A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law.”

It will take several months of negotiation for lawmakers to agree upon how the federal law would be implemented. While companies wait for the passage of a national privacy law and for it to take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.

Consumer privacy will continue to evolve, particularly in the time of COVID-19. Because of this, newer laws and regulations, like the European Union’s GDPR and the CCPA, must be flexible and evolve over time too.

RIMS Report: The California Consumer Privacy Act of 2018

Posted on by

With legislation introduced in California this year to protect consumers’ personal data, a new RIMS professional report, Understanding the California Consumer Privacy Act of 2018 (CCPA) highlights the importance for risk professionals and their organizations to prepare and adjust business operations to remain compliant under the law.

Authored by RIMS External Affairs Committee member Teri Cotton Santos, the report addresses the rights provided to consumers under the CCPA, the obligations it creates for businesses, as well as practical steps companies should take to prepare for its implementation date.

The CCPA was signed into law in June and became the broadest U.

buy sildalis online www.arborvita.com/wp-content/uploads/2023/10/jpg/sildalis.html no prescription pharmacy

S. framework imposing consent and disclosure obligations on businesses that collect personal information on California consumers. Similar to the European Union’s General Data Protection Regulation (GDPR), the law applies to companies collecting personal information on California consumers whether or not the company is based in the state. The clock is ticking for companies to update their operations and processes, as the CCPA becomes effective on Jan. 1, 2020.

“How organizations use and collect personal information continues to be a top concern for regulators and many consumers,” Santos said. “Now is the time for risk professionals to have discussions with internal stakeholders about the implementation of the CCPA and its impact on their organization’s operations and strategy.

buy tobradex online www.arborvita.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

The report is currently available exclusively to RIMS members. To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge. For more information about the Society and to learn about other RIMS publications, educational opportunities, conferences and resources, visit www.RIMS.org.

Lawfulness of Financial Crime Data Processing Under GDPR

Posted on by

Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime.

Clients and counterparties will often be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.

Rather than relying on consent, the GDPR also permits (1) processing that is necessary for compliance with a legal obligation to which the controller is subject and (2) processing that is necessary for purposes of the legitimate interests pursued by the controller or a third party.

Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that “the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities….” The fourth EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require that consent be received. And the U.K. Information Commissioner’s Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency as a legal obligation which constitutes a lawful basis.

Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.

“Legitimate interests” are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.

The GDPR makes clear, however, that several purposes related to financial crime should be considered legitimate interests. For example, “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest” and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are often prosecuted under anti-fraud statutes.

Compliance with foreign legal obligations, such as a whistle-blowing scheme required by the U.S. Sarbanes-Oxley Act, are not considered “legal obligations,” but they should qualify as legitimate interests.

While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing. Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.

While the GDPR became effective earlier this year, financial institutions will continue to fine-tune their approaches based on continuing familiarity with the requirements and legal and regulatory developments. Financial institutions need to revisit their client notifications to make sure that they have disclosed their data processing in a manner that reserves their rights for financial crime purposes. They should also confirm that their financial crime processing adequately falls under a defensible basis. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.