New US-EU Privacy Regulations (What Has Changed?)

With the launch of the EU-US Data Privacy Framework (EU-U.S. DPF), the newest iteration of mechanisms to facilitate transatlantic data flow comes to fruition. To participate in the program, U.S. companies will have to self-certify their compliance with EU-U.S. DPF principles. These principles help to bridge the gap between US data privacy and GDPR. In addition to commitments US companies will have to make, the framework also commits the US government to limit the access of data of EU individuals to US intelligence services. The EU-U.S. DPF also establishes a Data Protection Review Court (DPRC) which will be able to provide EU individuals with redress against privacy rights violations committed by U.S. companies or U.S. agencies. These are binding remedial measures as detailed in the EU-U.S. DPF. Of course, this is far from the first bite at the apple to create a cross-jurisdictional data privacy framework, so those subject to or benefitting from this framework should be cautious as these agreements have proven themselves delicate in the past.

The EU-US DPF replaces the EU-US Privacy Shield which was ruled invalid by the European Court of Justice (ECJ) on July 16th, 2020. Privacy Shield itself replaced the International Safe Harbor Privacy Principles after they were declared invalid by the ECJ in October 2016. History shows that while there is an appetite to ease commerce across the Atlantic by bridging the gap in data privacy protections, these frameworks have not been stable and can be affected by shifting political winds and differing geopolitical goals.

With the European Commission giving its approval for EU-U.S. DPF there is hope that the efforts the U.S. government has made to remedy the concerns the ECJ had with Privacy Shield will be sufficient to fend off another data privacy framework from being struck down by the ECJ. Key among these efforts have been changes to how the intelligence community handles EU individual data and the new redress mechanisms introduced with the DPRC. Companies previously certified under Privacy Shield will have until October 17th, 2023, to update their privacy policies to reflect compliance with the DPF to maintain their certification. These organizations may rely on the DPF immediately to receive personal data transfers of EU individuals. Organizations that have not maintained their certification under Privacy Shield can begin the process of self-certification online through a tool provided by the Department of Commerce. These organizations will be expected to provide details about their privacy policy, reasons for EU data transfers, and reporting mechanisms among other details. U.S. regulatory agencies including the FTC are expected to enforce the DPF aggressively to demonstrate to the European Commission and ECJ that the framework works to avoid another unfavorable ruling that would invalidate this framework as well.

There are expected to be legal challenges to this framework in the near future, but players on both sides of the Atlantic have expressed confidence in the framework surviving these legal challenges. Looking ahead, and presuming the DPF survives legal challenge, there are ongoing discussions about EU-U.S. data transfer mechanisms for specific industries that have been left out of the DPF, such as finance and healthcare.

Could you use some help keeping up with privacy in your business? At CyberData Pros, we understand the complexities of data privacy and can guide your business through this challenging landscape. Our proven track record in protecting our clients’ data speaks volumes about our commitment to privacy. Get in touch with us today for a free consultation.

read more

Understanding GDPR

In an increasingly interconnected world where data flows freely, ensuring the privacy and protection of personal information has become an utmost concern. The General Data Protection Regulation (GDPR) was implemented by the European Union (EU) on May 25, 2018. This was a significant milestone in the realm of data privacy and protection. This regulation sets a global standard for how organizations collect, process, store, and handle personal data of EU citizens.

The General Data Protection Regulation (GDPR) is a comprehensive set of data privacy rules designed to give EU citizens and data subjects more control over their personal data and unify data protection laws across the EU member states. GDPR replaced the Data Protection Directive 95/46/EC, harmonizing data protection regulations and imposing stricter rules on organizations that process and control personal data.

There are six principles that GDPR is founded on when processing personal data. Those principles are:

a. Lawfulness, Fairness, and Transparency: Organizations must process personal data lawfully, fairly, and transparently. They must provide clear and accessible information to individuals about how their data will be used.

b. Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes and should not be processed in any way incompatible with these purposes.

c. Data Minimization: Organizations should only collect and retain the minimum personal data necessary for the intended purpose.

d. Accuracy: Personal data should be accurate and kept up-to-date. Organizations must take reasonable steps to rectify inaccurate data.

e. Storage Limitation: Personal data should be kept in a form that allows identification of individuals for no longer than necessary.

f. Integrity and Confidentiality: Organizations must implement appropriate security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.

A cornerstone of GDPR’s personal privacy protections is the rights it enumerates and protects for personal data. These rights afforded to EU data subjects to control the procession of their personal data are:

a. Right to Access: Individuals can request confirmation of whether their data is being processed and access to the data.

b. Right to Rectification: Individuals have the right to correct inaccurate or incomplete data.

c. Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their personal data under specific circumstances.

d. Right to Restriction of Processing: Individuals can request the limitation of data processing in certain situations.

e. Right to Data Portability: Individuals have the right to receive their data in a structured, commonly used, and machine-readable format and transfer it to another data controller.

f. Right to Object: Individuals can object to the processing of their data for specific purposes, which includes direct marketing.

g. Right not to be Subject to Automated Decision-Making: Individuals have the right to avoid decisions based solely on automated processing, including profiling.

While GDPR is an EU regulation, its impact is global. Any organization that processes the personal data of EU citizens, regardless of their location, must comply with GDPR. This extraterritorial reach has forced businesses worldwide to adapt their data practices and prioritize data privacy and security.

Failure to comply with GDPR can result in severe penalties. Depending on the violation’s nature, fines can be up to €20 million or 4% of the company’s global annual turnover, whichever is higher. Additionally, non-compliant organizations may face reputational damage.

The General Data Protection Regulation (GDPR) represents a significant step forward in safeguarding the rights and privacy of individuals in the digital age. By adhering to its principles, organizations can build trust with their customers, ensure responsible data handling practices, and maintain compliance with global data protection standards. In order to ensure compliance, organizations may want to do routine Privacy Impact Assessments (PIA) to understand what risks their organization faces in the realm of data privacy.

read more

2023 State Data Privacy Laws Series: UCPA

The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments  should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.

The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.

Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors  are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.

One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.

With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.

read more

2023 Data Privacy State Laws Series: CTDPA

The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA  comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.

The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”

Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.

read more

Data Privacy State Laws Series: What 2023 Means for CPRA

Next up in our 2023 data privacy laws series is the California Privacy Rights Act or CPRA. CPRA amends the California Consumer Privacy Act (CCPA) to add protection for consumers. It was passed as a ballot initiative in November 2020 and took effect on January 1st, 2023. Enforcement is said to begin on July 1st of this year, but recent modifications to the draft regulations show that there may be some flexibility with early enforcement. The California Consumer Privacy Agency (CPPA), the body responsible for enforcing the CPRA, may take into account the time between the publication of the final regulations and the enforcement date, as well as “good faith efforts to comply with those requirements.”

California previously had a recent data privacy law known as CCPA, but CPRA expands the volume of data that falls within its scope. CPRA also expanded upon the data privacy rights that were in the CCPA. In addition to the right to know, the right to access, the right to deletion, the right to portability, and the right to opt-out of sale, CPRA will add the right to rectification and the right to opt-out of targeted advertising. A change that may catch some off-guard is that CPRA clarifies that a cookie banner is not an acceptable mechanism for handling opt-out requests for targeted advertising or data sales. Other meaningful changes made by CPRA are the significantly increased fines for data breaches of children’s data and breach liability for disclosure of credentials that could compromise a consumer’s account.

An addendum that CPRA brings to California’s data privacy landscape is the creation of a new privacy regulator in the California Privacy Protection Agency (CPPA). The CPPA will begin enforcement on July 1st and the sole mission will be to protect consumer privacy in accordance with California data privacy laws. However, they will have the additional charge of preparing new rules and regulations in the consumer data privacy space. The CPPA will be a well-funded and well-resourced agency for enforcing data privacy laws while taking some of the burdens off the office of the California Attorney General.

Comparatively, this means that CPRA will likely be the most comprehensive data privacy law in the US and will have teeth to back it up. Businesses that are subject to CPRA should already be preparing for enforcement to begin. An essential part of preparing for CPRA should be creating a data map and understanding what data you actually process. From there, you should conduct a gap analysis to find where to make changes to comply with CPRA data privacy mandates. Those subject to CCPA should already be familiar with the ability to opt out of the sale of personal information; However, they should now prepare to provide the ability to opt out of targeted advertising by sharing personal information with third parties. While it can be a heavy lift getting compliant with CPRA, doing so should bring businesses in compliance with other state data privacy laws and will be a solid foundation for future state or national data privacy laws.

read more

Data Privacy State Laws Series: What 2023 Means for VCDPA

First in our 2023 data privacy laws series is the Virginia Consumer Data Protection Act (VCDPA). The VCDPA effective date was January 1st, 2023, with enforcement beginning the same day. VCDPA, sometimes referred to as just CDPA, is somewhat of a mixture of the EU’s GDPR (General Data Protection Regulation) and California’s CPRA (California Consumer Privacy Rights Act). While it shares similarities with each, it is sufficiently dissimilar as it likely will require its own compliance considerations. Much like CPRA, VCDPA will apply to any business that processes the data of over 100,000 of the state’s residents or processes the personal data of over 25,000 and derives 50% of their gross revenue from the sale of personal data.

Much like GDPR and CPRA, VCDPA introduces numerous consumer data privacy rights. These rights include the right to access personal data, the right to know personal data is being processed, the right to data portability, the right to deletion, the right to rectification, and the right to opt out of targeted advertising or the sale of personal data.

One of the most substantial differences between CPRA and VCDPA is how VCDPA treats the processing of sensitive data. While CPRA allows consumers to opt out of processing their sensitive data, VCDPA requires a data process to get opt-in consent to process a consumer’s sensitive data. Additionally, VCDPA defines sensitive data as any data that includes demographic information, geolocation data, or data from a known child. Another difference is in how VCDPA treats employee and business contact data. VCDPA does not classify employees as consumers, nor does it consider personal data processed in a business-to-business context in scope. VCDPA also has blanket exemptions for government agencies, businesses subject to HIPAA, institutions of higher education, and Gramm-Leach-Bliley subject financial institutions, while CPRA does not.

Outside of CPRA, other state laws going into effect in 2023 are modeled after VCDPA, and thus understanding VCDPA and what goes into a compliance strategy for it will go a long way in reaching compliance with the other laws. When building a compliance strategy for VCDPA, you should first map what data you store or process. Additionally, it would be helpful to conduct a readiness assessment to identify where the gaps in compliance are. Once you’ve located the gaps, you can prepare a remediation plan and develop controls to bring the business into compliance before sanctions incur.

read more

What is a Privacy Impact Assessment?

Privacy is progressing across the US and it stops for no one – so what does it take to keep up? Well, as an increasing number of privacy regulations following the example of GDPR and CPRA arise, it naturally follows that more companies than ever are going to be newly bound to rigorous sets of privacy standards. In the interest of meeting those standards it’s crucial to have some standardized form of data system assessment to weed out privacy risks, which is exactly the role Privacy Impact Assessments (PIAs) fill. These assessments are thus primed to become an invaluable asset for organizations newly assessing privacy risk at the behest of legislation, as well as existing privacy-conscious organizations aiming to maintain their privacy posture – so it’s a great time to take a look at what a PIA is, whether or not you need one, and what one entails.

What it is

Essentially, a PIA is a tool that enables organizations to identify, categorize, and ultimately remediate privacy risks present in their data systems in accordance with relevant legislative standards. The objectives of these assessments are a few: to verify the data system’s privacy conformity with organizational and legal requirements, to determine the privacy risks present in the data system, and to evaluate solutions to mitigate identified risks. 

Who Needs it

Understanding what constitutes a PIA and its goals, a natural follow-up question would be who needs one. The necessity of one largely depends on the requirements of whatever regulations your business must abide by – different frameworks require these assessments at different stages of data handling. Odds are, however, that if you are bound to privacy legislation and handle customer Personally Identifiable Information (PII) you will at minimum be required to conduct a PIA when said data is newly processed or sold. Additionally, whenever significant changes/additions are made to the data system’s structure or its processes, then a PIA is typically highly-advised, if not required outright. 

Even past the explicitly-required cases, most any organization that handles PII should heavily consider conducting these assessments at least every three years. Remember that these assessments aren’t just a box to tick for compliance’s sake – they exist to help protect consumer information from undue exposure and thus protect the company who would be held liable. At its core, a PIA is a tool to mitigate risk and should be considered as such.

How it Works

So – if you decide upon conducting a PIA, what exactly does it involve? Generally, the assessment takes the form of both an analysis process and a report document. The process itself will vary again depending on the regulatory requirements an organization faces, but will typically include steps like the following:

  • An identification of the scope of the assessment along with the staff and stakeholders associated with in-scope systems
  • A categorization of data should take place, categorizing them according to their sensitivity 
  • A technical mapping of where and how information flows throughout its system: from acquisition to storage to transfer to use to disposal
  • An analysis and cataloging of privacy risks based on the data system’s state – take note to consider non-technical privacy impacts as well, an example being how easily communicable an otherwise safe process is to concerned consumers
  • A determination of whether or not the risk of holding different types of PII is proportional and reasonable to its business purpose
  • A consideration of mitigatory measures that could be taken to further protect the data system’s privacy as well as potential future data gathered

At the conclusion of the above steps a PIA report should be prepared documenting the results. The report should be easily interpreted and comprehensive of the steps and considerations taken – aid to this end can be found from online templates and/or privacy consultants. After the report’s completion, ensure that it’s published and sent where necessary by regulation. Ultimately, the PIA report is a living document. Ongoing reviews of the report should take place where there is any progress toward implementing the identified PIA recommendations or if any changes to the system are documented. 

With the PIA’s goals, use-case, and process in mind, hopefully you’re left with a clearer picture of these assessments going forward. Like many system assessments, the process can seem daunting at first, but with some practice it will become a tremendously helpful tool in your GRC toolbox, helping you adapt and thrive in our privacy-conscious future.

Need some help conducting your Privacy Impact Assessment? Let CyberData Pros carry one out for you, from scoping to publication. Contact us now for a free consultation and to learn more about our services.

read more

VCPO Services That Make Sense

Let’s face it; privacy can be a pain for businesses. It can feel like a burden on your company’s time and resources, and be overwhelming to manage with mountains of governmental oversight and regulation to navigate. As the digital age continues forward, it has become more and more obvious that these are not just growing pains that will simply go away. If you own or manage a small to medium sized business, this fact is likely something that has more than just crossed your mind over recent years as you continued to grow. You may be asking yourself; “Am I prepared to handle this data?”, “What kind of risks am I currently accepting?”, “How do I know if my business is handling compliance in a proper way?”.

Enter the Chief Privacy Officer or CPO. The CPO role is designed to answer all these questions, as well as alleviate the burden of data privacy and security compliance. This includes an ever-growing list of international and domestic privacy regulations such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), CPPA (Canadian Consumer Privacy Protection Act), VCDPA (Virginia Consumer Data Privacy Act). A CPO possesses the expertise to build and guide a business through these arduous security and privacy processes. This encompasses simpler things such as a privacy policy, all the way to the not-so-simple things like international consumer data laws and security compliance for the company’s entire network and data infrastructure.

As you might imagine, a role like this is not filled easily, nor cheaply. CPO’s often have decades of experience with paychecks to match, and are in increasingly high demand with the exponential growth of digital and international market spaces. So how is a small to medium business expected to acquire one? Can your business support another C-level paycheck? How about another big, expensive office space? What about supporting staff and equipment? You can see how quickly hiring and implementing a CPO can become a struggle in its own right, especially when you may already be stretched thin in a period of rapid growth, ie, when you might need one the most. Well, there’s a solution for that as well.

Modern problems require modern solutions, which is exactly what a vCPO, or virtual Chief Privacy Officer is meant to be. A vCPO, sometimes referred to as CPO-as-a-Service, can offer experience, knowledge, and expertise in the data privacy and security field that so many quickly growing businesses need, without the daunting costs, resource drain, and complexity associated with building what amounts to an entire new division of the company. The vCPO can offer any and all solutions a traditional CPO can. This includes understanding and implementing both international and domestic privacy regulations, company data ethics and practices such as handling PII (Personally Identifiable Information), as well as incident response planning and documentation. So what allows a vCPO to do all this and still save money? The answer is scalability. A vCPO solution can grow, shrink, and customize itself to the exact needs and challenges of your business as it stands, and as it changes. It brings its own support and resources to you in a neat and tidy package, giving you the ability to focus on growth, and getting privacy and security out the way!

If you feel have additional questions or need a virtual Chief Privacy Officer, contact CyberData Pros and we can help. Let us help put together a plan and keep your business in full compliance.

read more