TRUSTe Assessment Manager Product Feature Series – Part 1

Screenshot 2016-02-07 13.55.12

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series will highlight the latest updates.

Part 1 – Your New Privacy Program Dashboard

Screenshot 2016-02-07 13.55.12

The December 2015 2.0 release of TRUSTe Assessment Manager introduces a comprehensive Privacy Program Dashboard, giving you visibility into key operational privacy metrics and helping you establish Key Performance indicators (KPIs) for your privacy office.

Your privacy dashboard gives you instant view of:

  • Privacy assessment trends over time. How many assessments were created, approved and in progress during different periods
  • Basic risk profile (risk manually assigned by reviewers to issues)
  • Project aging trends
  • Geographical distribution of assessments
  • Open remediation tasks

In addition, from your dashboard you are just one click away from launching a new privacy assessment

We hope you enjoy the new look and feel of your Assessment Manager Dashboard and welcome feedback on other KPI’s your Privacy team uses to show effectiveness and accountability. Contact Senior Product Manager, Tony Berman on tberman@truste.com with your suggestions.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



EU and US Agree on New Transatlantic Privacy Shield to Replace Safe Harbor

Screenshot 2016-02-02 13.00.17

Screenshot 2016-02-02 13.00.17

After months of intensive negotiations, today (February 2) the European Commission and the United States announced agreement on a new framework for transatlantic data flows: the EU-US Privacy Shield.

This new framework will protect the rights of Europeans where their data is transferred to the United States and provide a path to legal certainty for the thousands of businesses that had previously relied on Safe Harbor for their international data transfers. The framework should be in place within three months.

Addressing the ECJ concerns

The EU-US Privacy Shield addresses the requirements set out by the European Court of Justice in its ruling last October 6 which declared the old Safe Harbor framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. There will also be the creation of a new Ombudsperson to address complaints about possible access by national intelligence agencies.

Vice-President Ansip, European Commission said: “We have agreed on a new strong framework on data flows with the US. Today’s decision…further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”

While further details of the new framework are still to be released it’s clear that the EU-U.S. Privacy Shield will be robustly monitored with an annual review by the European Commission and the U.S. Department of Commerce. This review will also involve the U.S. national intelligence experts from the U.S. and European Data Protection Authorities.

 What happens next?

The European Commission will now draft an “adequacy decision” which would be reviewed by the Article 29 Working Party and then adopted by the Commission after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. Department of Commerce together with the European Commission will continue preparations to put in place the new framework, monitoring mechanisms and new Ombudsman. If agreed before the final adoption of the European General Data Protection Regulation then this adequacy decision would ensure that the Privacy Shield could be a valid method of international data transfers through 2018 and beyond.

There should be further details following tomorrow’s Article 29 Working Party meeting and in subsequent briefings by the Department of Commerce on what requirements will be necessary for companies to stay compliant until the Privacy Shield is in place. The TRUSTe EU Data Privacy Transfer Assessment package will ensure you’re compliant with each of these requirements once they’re made available.



February Spotlight: Join us at events in Brussels, Barcelona, Lima and San Francisco

Screenshot 2016-01-30 18.19.23

Screenshot 2016-01-30 18.19.23

Feb 22-23

IAPP GDPR Comprehensive


Helping you prepare and implement the EU General Data Protection Regulation. The biggest European data protection reform in 20 years is upon us. Make sure your organization is ready for this seismic shift by attending the IAPP GDPR Comprehensive—an intensive two-day training offering a practical, hands-on view of the fundamentals of the new regulation. TRUSTe is a sponsor of the event.

Register here


Feb. 22-25

Mobile World Congress


Mobile World Congress, or MWC, is an annual gathering for the mobile industry and related industries, organized by the GSMA, and held in Barcelona, Spain, the Mobile World Capital. GSMA works all year long to plan the world-class exhibition, award-winning conference program, and outstanding networking opportunities that comprise Congress each year. With an expected 94,000+ attendees you can do more business in four days than in a month’s worth of meetings or in a year’s worth of travel, because everyone who is part of the industry is in Barcelona for MWC.

TRUSTe will be exhibiting alongside the DAA and EDAA in App Planet Hall 8.1 Booth #I63 – come say hi!

More details and registration here


Feb 22

APEC Privacy Workshop

Novotel Lima, Peru

The workshop will begin with an introductory tutorial on the APEC Cross-Border Privacy Rules (CBPR) and APEC Privacy Recognition for Processors (PRP), followed by panels on accountability-based information management programs generally, key issues in the ongoing implementation of the CBPR/PRP system across the APEC region, current work on creating interoperable systems for cross-border data flows between APEC and the EU, and the applicability of the APEC Privacy Framework in the context of big data and other modern information uses.

The workshop is hosted by the Centre for Information Policy Leadership, TRUSTe, Information Accountability Foundation, and Information Integrity Solutions and is accessible both to APEC delegates and non-APEC delegates. For additional information and to RSVP, please email Daniel Jin at djin@hunton.com.


Feb. 29- March 4

RSA Conference 2016

San Francisco

Celebrating its 25th anniversary this year the RSA Conference continues to drive the information security agenda worldwide. RSA Conference 2016 includes two halls of 500+ exhibitors, 400+ expert-led sessions, unprecedented networking and not-to-be-missed keynote speakers. TRUSTe is exhibiting at the conference at Booth #N3017 and on March 2 from 8.00-8.50am in Room 2007 TRUSTe CEO Chris Babel will be speaking with IAPP VP Research and Education Omer Tene on the relationship between privacy investment and security.

See more details here


March 2 5-9pm PT

RSA “Blended Intelligence” Reception

Contemporary Jewish Museum, San Francisco

An evening of connecting, collaborating and sharing sponsored by IID, Infoblox, OTA, ThreatWave & TRUSTe.

Register here


March 1

EDAA Summit


The EDAA Summit aims to increase awareness of the European Self-Regulatory Programme on Online Behavioural Advertising as well as its role and importance in the development of digital content and services, contributing to the European Digital Single Market. The event will bring together companies active in the digital advertising industry, businesses organizations, European policymakers, academic representatives and media for a full day of keynotes, debates and networking opportunities. TRUSTe is speaking at and sponsoring this event.

Register here


Details of all future events and webinars are listed here.


Privacy Risk Summit 2016 – Save The Date

Screenshot 2016-02-01 20.16.50


We’re excited to announce the launch of the Privacy Risk Summit 2016, taking place in San Francisco on June 8.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to offer an expanded program with three parallel conference tracks focusing on the risks rising from technological and regulatory change and privacy risk management best practices.

 100% of attendees at EU Data Protection 2015 said the event had “met or exceeded their expectations”.

The Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address the top privacy risks and share proven strategies for success. We want you to be a part of it!

There are three main ways to get involved to take part in this year’s Summit.

Submit Speaker Proposal We are looking for dynamic speakers who can bring a unique perspective to privacy risk management for our audience and welcome submissions from a wide variety of roles in the privacy ecosystem. For this event we particularly welcome speakers that can share practical examples of how they have managed privacy risk in their organization. The deadline for submissions is February 28 2016 at 5.00pm (PT) Find out more details about the topics we’re looking to cover within the three tracks here.

Inquire about Sponsorships With an expected attendance of 200+ senior executives from privacy, legal compliance functions this is the ideal opportunity to demonstrate your thought leadership and solutions for privacy risk management. Request a copy of our sponsorship pack here.

Attend the Summit Join us for a packed day of keynotes, panels and case studies. Register here to benefit from the Event Launch special ticket price of $149 only available until March 7.

Check out the Privacy Risk Summit event website for further details and follow the conversation online using #PrivacyRisk.



Safe Harbor: Coping with Uncertainty

Screenshot 2016-01-31 18.13.06

As January comes to end it seems that, despite best efforts to reach an agreement on both sides, negotiations for a new Safe Harbor framework will run into February. How can businesses cope with this ongoing uncertainty?

Firstly, the silence will not last long

Even if we don’t have a new framework this weekend we will have further updates from negotiators and regulators early next week. Vera Jerouva from the European Commission is scheduled to update the European Parliament on Monday evening in an Extraordinary Meeting of the LIBE Committee from 7-9pm CET on progress with the negotiations.

Screenshot 2016-01-31 10.07.35

On Tuesday and Wednesday the Article 29 Working Party (the European regulators) are due to meet and Safe Harbor is also top of their agenda.

While this does not necessarily mean we will have a new framework it does mean we will have further clarity on timelines for the negotiations and whether the enforcement grace period will be extended or the regulators intend to start taking action.

Secondly, TRUSTe can help manage the uncertainty

TRUSTe is here to help you ensure your data transfers are compliant whatever happens from a regulatory perspective

Our EU Data Transfer Privacy Assessment package will enable you to stay compliant with Model Contract Clauses now and then easily combine with or switch to Safe Harbor at the point a new framework is announced.

Our recent research found that three-quarters (78%) of companies are holding out for a new Safe Harbor framework. Half (53%) of these companies are also now using or preparing to use Model Contract Clauses. While 49% said they were looking to adopt a combined strategy going forward.

Currently Model Contract Clauses are the only way to achieve compliance. To adopt this mechanism companies must be able to demonstrate compliance, with the EU Data Protection Directive 95/46/EC, along with additional requirements stated under Model Contract Clauses.

Model Contract Clauses Assessment

To help companies implement and operationalize Model Contract Clauses, TRUSTe Assessment Manager includes two templates to guide you through the requirements or processes you may need to implement or update. The Model Contract Clause Assessments guides your company through an evaluation of Controller-Processor and Controller-Controller Sets 1 & 2. The Assessment will also flag requirements companies may need to incorporate into their processes, and make recommendations for addressing those requirements.

Screenshot 2016-01-31 18.13.06

Watch our short demo video here and learn more about the self-assessment process. Of course if you prefer full-service or have any questions, feel free to contact us directly for help at any time. Contact@truste.com

We’ll be following the Safe Harbor developments closely this week and will be sharing updates on our blog and by e-mail. Subscribe to the blog now and get in touch with your TRUSTe Account Manager to find out how TRUSTe can help you through this period of certainty.


The State of Online Privacy 2016

Screenshot 2016-01-27 22.14.29


The TRUSTe/National Cyber Security Alliance U.S. Consumer Privacy Index reveals the extent of current consumer privacy concerns with more Americans concerned about not knowing how the personal information collected about them online is used than losing their principal source of income.

Released today, to coincide with the ninth Data Privacy Day (#PrivacyAware), the study found that online privacy concerns topped the loss of personal income by 11 percentage points, despite only 3 in 10 Americans understanding how companies share their personal information. The business impact of consumers’ privacy concerns remains high with 89% avoiding companies they don’t believe protect their privacy and 74% of those who worry about their privacy limiting their online activity in the last 12 months due to their concerns.


Consumers Demand Transparency

Just 56% of Americans trust businesses with their personal information online, exposing a significant lack of trust. What can companies do to close this gap? The answer is simple – transparency.

Consumers demand transparency in exchange for trust and want to be able to control how data is collected, used and shared with simpler tools to help them manage their privacy online. 46% don’t feel they have control of any personal information they may have provided online, 32% think protecting personal information online is too complex and 38% of those who worry about their privacy online say companies providing clear procedures for removing personal information would increase trust.

The Right to be Forgotten

Interestingly given that the so-called ‘Right to be Forgotten’ for Europeans is now enshrined in the new EU General Data Protection Regulation, 60% of Americans think they also have this right. Perhaps, unsurprisingly with the recent terrorist attacks in Paris the month before this survey was conducted, there has been a fall in the numbers who think online privacy is more important than national security (38%) down seven percentage points from last year’s study. In the context of the Internet of Things – 37% think losing online privacy is a part of being more connected

Good Privacy is Good Business 

“Consumer privacy concern is real and rising and businesses need to act now to rebuild trust with their customers before it hurts the bottom line through lost clicks, downloads and sales,” said Chris Babel, CEO of TRUSTe. “With 3 out of 4 Americans modifying their online activity last year due to privacy concerns this research shows privacy is not just good practice it is simply good business.”

The TRUSTe/National Cyber Security Alliance U.S. Consumer Privacy Index 2016 is based on data from an online survey conducted by Ipsos with around 1,000 US Internet users December 17 to 22, 2015. The research was commissioned by TRUSTe and the NCSA, building on tracking studies conducted over the past six years by both organizations. Comparable research was also conducted in Great Britain.

Check out the detailed findings in the infographics for the US and Great Britain.


Privacy Meetup Event: Cross-Device Tracking Explained



Join the Privacy Innovation & Technology Group on Tuesday January 26th from 6-8 p.m. at the TRUSTe US offices, to review and discuss cross-device tracking–the cutting edge confluence of new information-collecting technology, “Big Data” and data broker profiling, and targeted advertising.

Although the cookie has not yet quite crumbled, cross-device tracking represents the next step in tracking and reaching consumers by enabling companies and marketers to follow users’ online activity not just across web pages within a browser, but across browsers, locations, devices and platforms.

This event titled ‘Cross-Device Tracking Explained: The Technology, Consumer Pros & Cons, and Privacy Approaches to Identifying Users Across Devices and Platforms” will be led by guest speaker Darren Abernethy, Technology and Data Privacy Attorney. The interactive discussion will address:

  • How cross-device tracking fits along a continuum that includes cookies and online behavioral advertising;
  • The different forms of cross-device tracking, including what the buzzwords “deterministic and probabilistic linking” mean;
  • The potential benefits and concerns of the practice, from enterprise and consumer privacy perspectives; and
  • Current regulatory and legal approaches, including considerations of transparency/consent, the FTC’s past enforcement in related contexts, and self-regulatory possibilities.

The schedule for the event is:

6:00PM – 6:30PM: Kick back and make nice with privacy professionals

6:30PM – 7:30PM: Cross-Device Tracking Explained – The Technology, Consumer Pros & Cons, and Privacy Approaches to Identifying Users Across Devices and Platforms

7:30PM – 8:00PM: Continued networking

Are you CIPP certified? Then attend this session to earn CPE credits from International Association of Privacy Professionals (IAPP)

To register for the event and read more about Darren visit the Privacy Innovation & Technology’s Meetup page.

Interested but can’t attend on Tuesday? Join this Meetup group to be alerted of future events.



The GDPR Is Here: What’s a Privacy Pro To Do Next?

privacy regulation

Angelique Carson, CIPP/US | Editor, Privacy Advisor, IAPP

privacy regulation

This article was first published on the IAPP Privacy Advisor

On December 15, the European Parliament and Council announced that, after years of negotiating, they’ve reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The Luxembourg Presidency of the Council of the European Union called it a “historic agreement,” while Green MEP and rapporteur Jan Philipp Albrecht called it a “major step forward for consumer protection and competition,” ensuring “Europe has data protection rules that are fit for purpose in the Digital Age.”

Some of the 200-page document’s major provisions include that the law applies to any controller or processor of EU citizen data—regardless of controller or processor location—breach notifications for breaches involving “significant risk” for data subjects must be made within 72 hours of discovery; data protection authorities are granted more powers, including the ability to fine up to four percent of an organization’s annual revenue; many organizations will now be required to appoint a data protection officer, and data processing may only occur with explicit consent unless certain conditions exist.

For those who’ve been closely watching the various iterations of the text in the three years since draft one entered the scene, there may be few surprises—though the change in age for children’s consent to 16 was a doozy, wasn’t it? Regardless of whether you’ve been glued to the news or this is the first you’re hearing of the regulation, veterans in the field agree the time to daydream is over. The text is here, and the time to move is now, industry veterans agree.

“With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.” Field Fisher’s Phil Lee, CIPP/E, said while Parliament and the Council still have to formally adopt the text and implementation will come two years after that, what must happen now for some companies is no small feat.

“The significant nature of the changes, from revising internal policies, procedures and notices, to appointing DPOs, to instituting data breach management notices, to revising contracts, really means that companies need to being planning now,” he said. “With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.”

Lee said the changes will be most difficult for companies that have been outside the scope of the existing Directive. First, businesses should figure out if they’re subject to the law to begin with, and then get to work remediating.

Privacy strategist Bob Siegel, CIPP/US, CIPP/C, CIPP/E, CIPM, CIPT, president of Privacy Ref, says that’s exactly what he’ll tell his clients: Get moving.

“Start looking at what the impact to business is going to be,” he said. “I think people now are going to have to realize it’s a reality and address those requirements,” he said.

What’s step one?

“The first thing I would do is to put together a cross-functional team; the privacy office, inside or outside counsel, IT and compliance [if it sits outside of those groups] to create an understanding of what the plan will be over the next 18 months to two years to begin implementing those changes,” Siegel said.

Director of TRUSTe’s consulting group, Eleanor Treharne-Jones, CIPP/E, agreed that a good place to start is to meet with the privacy management committee, if there is one, to establish the kind of initial work that should be done and who should be briefed first.

Treharne-Jones said TRUSTe’s research found 40 percent of companies would allocate budget toward the GDPR once the change had passed but before it went into effect. So for many, it may be a case of acquiring budget before progress toward compliance.

But it’s not necessary to wait for the funds to roll in before taking steps toward compliance, Trehaarne-Jones said, including briefing the board and senior management. For some, it’s been a question of how to package the GDPR as a priority in C-suite agendas.

“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal said.

“For many people, data protection is still not high on the C-suite agenda, but there’s potential this [regulatory change] will push it there,” she said.

K Royal, CIPP/E, vice president and privacy counsel at CellTrust, said companies who may have previously thought their privacy officer a bit of a Chicken Little, worried the sky might be falling without reason to believe so, are now realizing the sky is in fact falling. While Safe Harbor’s recent invalidation may have woken some companies up that slept through warnings about regulatory changes to come, the GDPR ruling got them out of bed entirely.

“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal said.

But Treharne-Jones said having the respect and attention of the C-suite means your messaging has to be on point, and privacy pros “need to be careful how they go about” their messaging for implementing changes. That means having understanding of what’s in the final draft before you go barging into the CEO’s office as well as appointing a project owner if there isn’t one already.

“That’s one of the key things needed before you even start the budget process,” she said.

Royal agreed, saying pros must read the new text. All of it. Know the rules.

David Smith, formerly deputy commissioner of the UK’s Information Commissioner and now counsel at Allen & Overy, said the political agreement means a major milestone has been passed and the end is in sight.

“Now that the shape of the regulation is clear, it’s time for CPOs to start preparing. This includes putting in place their arrangements for compulsory breach notification both to data protection authorities and to affected individuals, carrying out privacy impact assessments and being able to account for the effectiveness of their data protection compliance programs,” Smith said.

Beyond that, Royal said there will be three key actions that will be critical to companies now, especially U.S. companies. First, she said, you must map your data.

“Where’s it coming from? Why are you collecting it?” Royal said of questions pros must ask themselves. Next, it’s time to stop collecting data you don’t have a legitimate purpose to collect and stop using it for something other than what it was collected for.

“I think that’s going to have the biggest impact on U.S. companies, controlling the data,” she said. “In the U.S., we just love data. Even if we don’t know what we’re going to do with it now, we just love it. It’s like gold panning in the rivers, when you just pick out what you have and take the gold nuggets. Well, we just gotta start throwing the rest of it in the river.”

Lastly, companies are going to need to prep by taking a look at relationships with third-party vendors and ensuring none of those relationships mean you risk non-compliance with the rules.

Royal said she expects companies with BCRs to already be in decent standing, though they’ll need to go beyond the provisions of most BCRs to comply with the GDPR. But they likely won’t have as far to go as companies that haven’t had to reach compliance agreements with European supervisory authorities.

Siegel added that moving toward compliance with the final regulation is complicated further by the fact that the next version of Safe Harbor, the Transatlantic Data Protection Framework, is still being negotiated. “So while having this laid down is good,” he said, “there’s still a question of how to legally export data from Europe, and people are going to have to keep an eye on Safe Harbor while they’re doing this as well. They may find themselves having to pay attention to some things more than others, more than they may have had to do so six months ago.”

In any case, all agreed the time to act is the present. After all, Smith said, “The next two years will pass very quickly!”

Older posts «