Joseph Abrenio, Author at ADVISORI

The California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) grant California residents the most comprehensive privacy rights, arguably, in the United States. The CCPA was enacted in 2018, and the CPRA was passed in 2020 as an amendment to the CCPA. In other words, the CPRA does not replace the CCPA; it expands it. Accordingly, the CPRA is often referred to as “CCPA 2.0.”

The scope of data protection is a significant difference between the CCPA and CPRA. The CCPA covers businesses with an annual gross revenue of $25 million, collect data on at least 50,000 households, or obtain at least 50% of their revenue from selling personal information. The CPRA, extends the coverage to businesses that have an annual gross revenue of $25 million, collect data on at least 100,000 households, or obtain at least 50% of their revenue from sharing personal information.

The CPRA also addresses what many saw as significant limitations of the CCPA; one, the absence of a specialized enforcement authority; and two; detailed guidance advising businesses on how to comply with the law. In response, the CPRA created a new agency, the California Privacy Protection Agency (“CPPA”), to replace the California Attorney General’s Office, which was previously responsible for enforcing the law. The CPPA will be responsible for providing compliance guidance as it is expected to have more privacy expertise and resources than the Attorney General’s Office. Moreover, the CPPA will have the authority to pass further regulations, conduct investigations, and impose fines for violations of the CPRA.

What is “personal information?”

The CCPA was passed to provide California residents with certain rights regarding their personal information. It defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes the following categories:

1. Identifiers: such as name, address, email address, social security number, driver’s license number, passport number, and IP address.

2. Customer records: This refers to any personal information that is obtained from a customer, such as purchase histories, customer service inquiries, and account information.

3. Commercial information: This includes any information that is used in the course of conducting business, such as transaction histories, product preferences, and purchase histories.

4. Protected classifications: This includes any information that pertains to characteristics that are protected under state or federal law, such as race, ethnicity, gender, and disability status.

5. Internet or other electronic network activity: This includes any information collected through a consumer’s use of the internet or other electronic networks, such as browsing histories and search histories.

What is “sensitive personal information?”

A significant addition to the above is the CPRA’s inclusion of “sensitive personal information,” which is defined as information that reveals a consumer’s social security number, driver’s license number, passport number, financial account information, precise geolocation, race or ethnicity, religious or philosophical beliefs, union membership, personal communications, genetic data, biometric information, or health information.

Individual Privacy Rights.

The CPRA also expands the CCPA to provide additional rights to California residents regarding their personal information, such as the right to opt out of the sale of sharing their personal information, the right to access their personal information, and the right to request that their personal information be deleted.

Notice at Collection

The CPRA introduces a new requirement for businesses to provide consumers with a “notice at collection” that includes more detailed information about the categories of personal information collected, the purposes for which the information will be used, and the categories of third parties with whom the information will be shared. This notice must be provided at or before the time of collection and must be easily accessible to consumers.

This notice at collection requirement is designed to provide consumers with more transparency about how their personal information is being collected and used and to allow them to make informed decisions about whether to share their information with a business. Businesses must ensure that their notice at collection is clear and concise and provides consumers with all the information they need to make an informed decision.

The Right to Know

The CCPA gives California residents the right to know what personal information businesses collect about them. The CPRA expands this right by requiring businesses to provide more detailed information at the time of collection or before. For instance, a business must display a privacy policy describing what types of personal information it collects from California residents, including names, addresses, and other identifying information. Moreover, businesses must provide California residents access to their personal information upon request. More specifically, a business must disclose what personal information the business holds about the resident and how such information was collected, sold, or disclosed in the preceding 12 months.

The Right to Data Deletion

Under the CCPA, businesses are required to provide California residents with the right to request that their personal information be deleted. This right is also known as the “right to be forgotten.” The CPRA builds upon this right and expands it to cover the sensitive personal information category described above.

However, this right to personal information deletion is not absolute. For example, businesses may legally retain certain personal information where the business is legally required to do so. Additionally, businesses may be able to deny a deletion request if the personal information is necessary for the business to provide its products or services to the consumer.

The Right to Opt-Out

The CPRA also addresses the issue of data sharing and selling. The CCPA allows businesses to sell and sharepersonal information under certain circumstances, but does not require them to obtain opt-in consent from consumers. The CPRA changes this significantly as it now requires businesses to obtain opt-in consent from consumers before selling or sharing their personal information.

Accordingly, businesses must provide a clear and conspicuous link on their website titled “Do Not Sell or Share My Personal Information” that directs consumers to the opt-out mechanism. Once a consumer submits an opt-out request, the business must stop selling or sharing the consumer’s personal information with third parties. The business must also inform any third parties that received the consumer’s personal information that the consumer has opted out. The third parties must stop using the information for commercial purposes upon such notice.

The Right to Correct

Under the CPRA, California residents now have the right to request that businesses correct inaccurate or incomplete personal information the business may hold on them. Moreover, if the business has shared any incorrect personal information with third parties, it must inform these parties of the correction request and take steps to correct the information with them as well.

The Right to Limit

Under the CPRA, California residents have the right to request that businesses restrict the use of their sensitive personal information. Businesses must also ensure that third-party service providers with access to personal information comply with any restriction request.

Conclusion

Overall, the CPRA represents a significant expansion of the privacy protections provided by the CCPA. With its broader scope of coverage, enhanced enforcement, and additional privacy rights, the CPRA is likely to have a more profound impact on the privacy practices of businesses operating in California. As such, businesses operating in California should carefully review their privacy practices and ensure compliance with the new requirements introduced by the CPRA to avoid potential fines and legal liability.

1. Updating privacy policies: Businesses should update their privacy policies to ensure that they are in compliance with the CCPA’s requirements for transparency and disclosure.

2. Implementing opt-out mechanisms: Businesses must provide California residents with the option to opt out of the sale of their personal information.

3. Establishing data security protocols: Businesses must implement reasonable security measures to protect personal information from unauthorized access or disclosure.

4. Responding to consumer requests: Businesses must be prepared to respond to consumer requests regarding their personal information, including providing access to personal information and deleting personal information upon request.

The Importance of Appointing a Privacy Officer for Your Organization

In today’s world, privacy has become a critical concern for individuals and businesses alike. With the increasing prevalence of data breaches and cybersecurity threats, protecting personal information has become a top priority for organizations across all industries. For this reason, it is essential to appoint a privacy officer to oversee the organization’s privacy policies and procedures.

A privacy officer is responsible for ensuring that an organization’s handling of personal information is in compliance with applicable laws and regulations, as well as industry standards and best practices. This includes developing and implementing privacy policies and procedures, conducting privacy risk assessments, and providing training and education to employees on privacy-related matters. By appointing a privacy officer, organizations demonstrate their commitment to protecting personal information, which can enhance their reputation and earn the trust of customers and stakeholders.

How does a privacy officer ensure compliance with data protection regulations?

Advisori privacy officers assist our clients with data protection regulation/legal compliance by doing the following:

1. Conducting a privacy risk assessment: This involves identifying and assessing the risks associated with the processing of personal information. During the assessment process, we identify the types of personal information your organization processes, the purposes for which it is processed, and the risks associated with that processing.

2. Developing policies and procedures: Based on the findings of the privacy risk assessment, we develop policies and procedures that address the identified risks. These policies and procedures outline how personal data is processed, who has access to it, and how it is protected.

3. Providing training and awareness: All employees should be trained on the importance of data protection and the organization’s policies and procedures. Our training programs educate our clients’ employees on proper personal information handling practices to ensure that they remain up-to-date on the latest regulations and best practices.

4. Conducting periodic audits: Our privacy officers can conduct regular audits to ensure that the organization is complying with its policies and procedures. These audits are designed to identify any areas of non-compliance and provide recommendations for remediation.

5. Responding to breaches: In the event of a data breach, our well-experienced privacy officers are able to take immediate action to contain the breach and minimize its impact. This may involve notifying affected individuals, regulators, and law enforcement, as well as implementing measures to prevent similar breaches from occurring in the future.

The Benefits of Appointing a Privacy Officer include:

Any business collecting or processing personal information should be aware of the crucial role a privacy officer plays in protecting personal data and complying with data protection regulations. By taking these steps and implementing best practices, the business is minimizing the risk of data breaches and protecting the privacy of individuals. In addition to the legal and regulatory benefits that a privacy officer provides, by appointing a privacy officer and following the steps outlined above, organizations demonstrate their commitment to safeguarding individual privacy. This, in turn, helps build trust and confidence in your organization, which can ultimately lead to increased success and growth. So, consider appointing a privacy officer for your organization today and invest in protecting the privacy of your customers and stakeholders.

Advisori understands how difficult it can be to find the right privacy platform. To best serve our clients, Advisori has partnered with industry leaders to provide our clients with a full range of best-of-breed technologies. Our partner network allows us to give our clients an unbiased view of what technology best suits their needs.

Client Considerations

While understanding the privacy technology industry is critical to the privacy platform selection process, the fundamental consideration in selecting the best tool for our client is a comprehensive understanding of its business. Therefore, we take the time to learn critical aspects of our client’s industry, locations, management structure (where the privacy functions sits), resources (financial and human), and the privacy laws and regulations in scope.

This process begins with stakeholder consultation (data protection office, security team, and general counsel) and factoring in each of their particular needs and agendas. Our goal is to find the right privacy platform that best suits the needs of all departments.

For instance, Chief Information Offices tend to have the largest budgets. As a result, some vendors are focusing their technical and sales strategy on data security and less and less on privacy. This trend has negatively impacted privacy professionals in two ways; first, they may be left out of the tool selection and configuration decision-making process and second, they may be forced to use a tool lacking essential privacy capabilities and functionality.

Our professionals are well aware of this security vs. privacy dilemma and work collaboratively with our clients to design an inclusive solution, considering all department needs (the privacy vs. security office). Our fundamental goal is to get our clients the “biggest bang for their buck” from our technology partners.

Identifing all available company resources (financial, technical, and human) is also a critical consideration. For instance, before considering new privacy platforms, we assess the utility of existing privacy tools our clients already have. It is common for companies to spend a fortune on a privacy platform that ultimately goes unused after the company finds it needs more resources to commit to tool management. These “hidden” costs associated with employee headcount can often render the long-term internal administration management of the tool far too expensive.

Instead of the endless cycle of tool “pull and replacement,” our clients can often benefit from outsourcing privacy tool management to Advisori. Our team is trained and certified on the most-widely used privacy platforms, ensuring that our clients get the highest level of technical capabilities at the lowest overall costs. Often, we can implement and manage existing tools cheaper, better, and faster than internal resources.

Finally, we consider our client’s short and long term needs. For instance, a client may have an immediate need for its website (Cookie Consent Management, Subject Access Rights Portal, etc.). As a business matures, its privacy needs evolve. Based on our client’s trajectory, we recommend a platform that is best equipped to suit immediate needs and with add-on capabilities to address future privacy needs and requirements. The goal is to build a strong technological foundation for our clients to ensure efficient and scalable growth.

Vendor Considerations

The market is flooded with products that purportedly solve every problem.The reality is that each vendor has strengths and weaknesses.

Based on our client’s profile, we first identify vendors that are in our client’s price range. Vendors cater to businesses based on size and revenue; we rule out unaffordable vendors, focusing on realistic vendor options.

We then address the clients immediate needs as describe above. For instance, is the client a small business looking for a cookie consent management platform or website privacy notice, or is the client a multinational corporation struggling with data discovery, or a client implementing a compliance management program? These factors are critical as some vendors focus on website privacy compliance, while some excel at data discovery and related artificial intelligence capabilities, and others have sophisticated privacy management tools like automated risk assessments.

Another important consideration is reporting and dashboards. Advisori believes that data protection and privacy is a team sport. Accordingly, a useful privacy platform must have sophisticated reporting features and a manageable dashboard equipped to provide real-time metrics to all relevant stakeholders including upper management when appropriate.

An often overlooked, but consequntiual consideration, is vendor support. Advisori has direct relationships with our partner support teams and can either interact with the appropriate team on behalf of our clients or connect the client directly to the support team. Either way, vendor support should be a top factor when choosing a privacy platform.

Please contact us at info@advisori.com to learn more about how we can assist your business in finding the right privacy platform.

Standard Contractual Clauses

As summer begins, many companies doing business in the European Economic Area (“EEA”) and the United Kingdom (“UK”) are scrambling to update their Standard Contractual Clauses (“SCCs”). This is the result of the Court of Justice of the European Union's (“CJEU”) decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”), issued on July 16, 2020. The Court’s ruling was a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with Article 46 of the General Data Protection Regulation ("GDPR"). Pursuant to Article 45 of the GDPR, personal data can only be transferred outside of the EEA to countries that the European Commission ("EC") has deemed to have adequate data protection laws and practices. Only 13 countries have been approved by the European Commission as having "adequate" privacy safeguards. The European Commission, for example, regards the United States as "inadequate" due to its government surveillance laws.

Article 46 of the GDPR, on the other hand, allows data transfers outside of the EEA to "inadequate countries" if the data exporter uses "appropriate safeguards" to protect the data. For example, the European Union and the United States government negotiated the Privacy Shield framework to facilitate commerce, in which participating U.S. companies could self-certify as an acceptable Article 46 transfer mechanism, allowing them to receive personal data from the EEA. Another option, SCCs, are the most commonly used Article 46 transfer mechanism. SCCs are a standard set of contractual data protection services terms and conditions that data exporters and importers agree to when transferring data outside the EEA to an "inadequate" country.

Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. Moreover, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries - any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law. More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer privacy risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk - enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.

Brexit further complicates cross-border data transfers from the EEA and the UK. As a result of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection services authority is now the Information Commissioner's Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.” In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs). This article focuses on the EU SCCs.

Guidance on International Personal Data Transfers

On November 10, 2020, the European Data Protection Board (EDPB) released its Draft Guidance on International Personal Data Transfers (the “Guidance”) to assist data exporters with their required data transfer privacy risk assessments. The EDPB set forth a six-step program for doing so as follows:

First: the EDPB recommends that the data exporter “know your transfer.” Most critical, a data exporter must fully understand where its EEA personal data is flowing. This is often best accomplished by data mapping and the development of an accurate and comprehensive Article 30 GDPR Report.

Second: the data exporter must understand and re-evaluate any Article 46 transfer tools in use (e.g., SCCs, BCRs, etc.). Most critical, are these existing transfer tools providing your data subjects with the same level of data protection as EU law requires?

Third: the data exporter must assess whether its Article 46 transfer tool(s) is undermined, in any way, by the laws existing in the destination country. For example, do the laws of the destination country allow its government to seek personal data without permission or even knowledge of the data exporter?

Fourth: the data exporter must adopt “supplemental measures” to mitigate the risk identified in step three. Supplemental measures may come in the form of contractual, technical or organizational protections necessary to ensure that the transferred personal data maintains the same level of protection it has in the EEA.

Fifth: the data protection exporter must take all “formal procedural steps” necessary to ensure the adoption and use of any supplemental measures. For instance, a data exporter may add additional contractual clauses to the SCCs to enhance their contractual safeguards for the data transfer.

The sixth and final step: is continued re-evaluation by the data exporter, with the assistance of the data importer, of the steps identified above.

If your company is struggling with where to start, please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our most recent blog or schedule a meeting with us here.

Advisori can assist your company in updating its existing Standard Contractual Clauses ("SCCs"). It's difficult to find the right resources for the job, from experienced privacy attorneys to contract managers. As a result, we have assembled a specialized team to assist our clients with meeting their compliance deadlines.

What are Standard Contractual Clauses and why use them?

The transfer of personal data gathered in the European Economic Area (“EEA”) and the United Kingdom (“UK”) is strictly regulated by the General Data Protection Regulation (the “GDPR”). For instance, personal data can freely flow from the EEA to just 13 countries – countries that the European Commission (the “EC”) has deemed as having “adequate” data protection services laws and practices. Thus, companies collecting personal data in the EEA wanting to transfer this data to “inadequate” countries must apply “appropriate safeguards” to the data.

The most used safeguard is standard contractual clauses or commonly referred to as “SCCs.” SCCs are standardized and pre-approved contractual language, developed by the European Commission (“EC”), to ensure that all data transferred to any “inadequate” country has essentially the same level of protection as that provided by European Union law. Despite all the attention on the newly published SCCs, they are not actually new. The EC approved the prior version under the old Directive 95/46/EC ("Old SCCs"). For the reasons discussed previously, the EC published two new sets of SCCs on June 4, 2021. The “First Set” replaces the Old SCCs and should be used for international transfers of personal data. The “Second Set” (which is actually new) governs the transfer of personal data between controllers and processors – even those operating solely within the EU (for simplicity, the First and Seconds Set of SCCs will be collectively referred to as the “New SCCs”).

The New SCCs are the result of significant changes in EU law. While the Old SCCs addressed only controller to controller transfers in one set of clauses and controller to processor transfers in another set, the New SCCs are purportedly designed to be more versatile and easier to use. While they remain a combination of non-negotiable, standard clauses, they are in a modular format for transfers from (i) controller to the controller; (ii) controller to the processor; (iii) processor to processor; and (iv) processor to the controller.

Critically, businesses have until December 27, 2022, to replace all Old SCCs with the New SCCs. This will be a monumental task for some businesses. Advisori can help. We have the privacy practices lawyers, contract managers, and analysts necessary to handle any SCC update project.

We do the following to ensure that our clients meet their regulatory guidelines.

We collaborate with internal stakeholders to identify and gather all contracts and artifacts required to scope the SCC remediation project.
We examine all existing contracts and data transfers to identify contracts and SCCs that need to be updated.
We develop a comprehensive project plan that includes deliverables and a tracking schedule.
We create a detailed SCC remediation project playbook tailored to your company's operations and size.
Existing contacts are drafted/revised, and their SCCs are updated.
We identify and work with those in the privity of contracts with our clients to ensure that all contracts are updated and executed.

Please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our blog or schedule a meeting with us here.

If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act ("CPRA"). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union's General Data Protection Regulation ("GDPR") and there are significant parallels between the two regulations.

For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information ("PI") collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.

The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:

As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households; or
Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.

Advisori’s Automated Privacy Notice

We ensure that your website privacy notice is CPRA compliant using our digital Privacy Notice platform. Where a business collects PI from California residents, it must advise them of the following:

How their PI is collected by the business, i.e., website cookies/trackers,
What types and categories of PI are collected,
With whom their PI is shared,
How long their PI is retained by the business,
How the data subject can request a copy of their PI,
How they can request correction of their PI,
How they can request deletion of their PI, and
How they can request to opt-out of having their PI collected, shared, or sold.

In addition, the CPRA includes a new data category - sensitive personal information (“SPI”), which includes:

Social Security Numbers,
Driver’s License Numbers,
Passport Numbers,
Financial Information,
Racial and ethnic origin data,
Geo-location data,
Health data,
Religious affiliation, and
Trade union membership.

With a simple installation of our privacy notice code on your website, we will build, display, and manage your CPRA compliant privacy notice.
Request a Demo

DSAR Fulfillment

In addition to advising California residents of their privacy rights, a business must allow California customers the ability to exercise these rights. This is often referred to as data subject access requests (“DSAR”). Under the CCPA/CPRA, a regulated business must provide its California customers with at least two ways of requesting the exercise of their rights such as an email address and a toll-free number. The business must respond to a legitimate request within 45 days (with an additional 45-day extension period for the business under certain limited circumstances).

The DSAR process is complicated as a business holding PI must be able to search its databases to find the data belonging to an inquiring customer. We can do this for our clients using our AI-driven data discovery tools to search for, classify, and catalog personally identifiable information, both structured and unstructured, residing in the cloud or on-premises. By doing so, we provide our clients with a comprehensive and dynamic view of their PII across their data inventories. This includes identifying, retrieving, and deleting data belonging to a single customer. We can do this nearly instantaneously.

Not surprisingly, the CPRA requires that a business properly verify the identity of any customer submitting a DSAR. We are able to do this using a variety of electronic means. Moreover, we provide our clients with a customized electronic data request portal where their customers can go to the business’s branded portal and submit a DSAR. Using this same portal, the customer can retrieve any requested data from this secure portal. Just as importantly, all activities are electronically documented for compliance purposes.
See more

Read more on our blog and contact us today to learn more about our CCPA/CPRA solutions.

Visit us at www.advisori.com or drop us a line at info@advisori.com to learn more about our CCPA/CPRA solutions.

Under EU law, and several state laws in the US, a data subject (a person) has the right to see the personal data a business has on her and to know how that business is using the data. A person can exercise these rights by making a Data Subject Access Request (DSAR) to a business holding her data. Depending on the law (be it GDPR or CCPA, etc.), data subjects may have some or all of the following rights: (1) access to the data the business holds on the person; (2) deletion of their data; (3) correction their data; (4) opt out of the sale of their personal data to a third party; (5) opt out of the processing of their personal data; and (6) data portability (right to receive an electronic copy of their data).

While data rights are good for consumers, businesses often struggle with fulfilling these requests, even routine DSARs. For instance, a business must first properly verify that the data subject making the request is who she claims to be. This necessity is becoming increasingly critical as more and more nefarious actors seek to steal personal data from businesses. Therefore, businesses must meticulously vet and verify persons requesting to exercise their data rights.

Once a data subject is finally verified, the data discovery process itself is often cumbersome as businesses often collect and store customer data via numerous systems used to accomplish specific customer and business needs, like customer bookings and business marketing for example. The mere task of finding a certain person’s data in these multiple data stores can be like trying to find a needle in a haystack.

Also, hundreds or even thousands of copies of the same data can be in numerous databases (what we call data sprawl), making data deletion requests a nightmare to fulfill. In the data deletion/anonymization context, a multiplicity of systems means the efforts to find, erase, or anonymize data upon request can become much more time consuming than if the subject’s data is in a single solitary system. Each additional system in which the data is stored adds to the level of effort needed for the business to fulfill a DSAR.

Many businesses are still using a manual data subject verification and fulfillment process, which means the need for greater privacy specialist headcount, and thus more business costs. In addition to being inefficient and labor intensive, manual DSAR fulfillment means human error in both the data subject verification and data discovery process thereby exposing the business to violations of privacy laws and resulting regulatory fines.

Ongoing developments in privacy law worldwide promise to increase the burdens of compliance with DSAR fulfillment as consumer privacy laws are rapidly emerging globally and in the US. For instance, The California Consumer Privacy Act (CCPA) came into effect in 2020, following the effective date of Europe’s General Data Protection Regulation (GDPR). Currently, California, Colorado, and Virginia have laws that provide or will provide the functional equivalent of DSARs; whereas Nevada allows its residents the right to opt-out, or restrict the processing of their personal data.

While the COVID-19 pandemic resulted in a temporary reduction in the number of incoming DSARs; our clients have seen an increase in the numbers of people exercising their privacy rights in the past several months, returning to and in some cases exceeding pre-COVID numbers. We can expect these numbers to steadily increase over the coming months. Not only are more people becoming aware of their privacy rights under existing laws in their jurisdictions, but additional jurisdictions such as Brazil and China have added privacy rights to their laws. We also expect additional states to follow the example of current data privacy laws in CA, CO, NV, and VA, at some point in the future, and a Federal privacy law is not out of the question in the next few years.

The increased DSARs will result in a major cost center for firms in coming years unless they are proactive. According to one recent survey by the Gartner organization, businesses report spending, on average, $1,400 per data subject rights request. Unfortunately some requests can be even more expensive than this eye-popping number. For instance, some records require the redaction of large amounts of information to ensure protection of the privacy of persons beside the data subject. The result is the multiplication of DSAR fulfillment costs.

All the above issues are good business practices to ensure efficient use of customer data. However, these redundancies and multiplicity of systems match poorly with new access and erasure requirements coming into use by customer bases worldwide. For this reason companies which tackle their DSAR tasks manually see their costs per DSAR start high, and go higher.

Businesses looking to outsource their DSAR fulfillment process can rely on Advisori. Advisori is a full-service DSAR Fulfillment Center. Our virtual DSAR platform allows a data subject to submit a DSAR directly to our Fulfillment Center via our secure DSAR portal. We verify the data subject using multiple means and sources, use our cutting-edge technologies with the capabilities of searching every type of data store for personal data of all categories and formats, and then packaging all related personal data up for dissemination back to the data subject through our secure electronic portal. The data subject can review her data via our portal or even download it. We are also able to find and delete/anonymize data when a data deletion request is filled. We are able to do this quickly and efficiently to ensure that all DSAR regulatory requirements and deadlines are met. Bottom line is, we help our clients fulfill DSARs cheaper, faster, and better. Check us out at www.advisori.com or contact us at info@advisori.com.

Unfortunately, the GDPR, and laws modeled after it, are highly complex. For instance, the GDPR has eleven chapters, containing 99 articles. Because of the complexities and nuances of existing and emerging privacy regulations, we, at Advisori, are often asked by our clients where to start with privacy compliance. We believe the first step is knowing what personally identifiable information (“PII”) the business possesses and what it is doing with it. Next is developing a data privacy/protection strategy based on governing privacy regulations, existing capabilities, and available resources.

The second step is memorializing the above in a written privacy policy and privacy notice. We often see privacy policies and notices being conflated. While related, it is important to understand that privacy notices and privacy policies are distinct concepts with different requirements. In this blog, we focus on privacy notices.

A privacy policy is an internal resource, which should instruct employees on the organization's rules related to PII. In contrast, a privacy notice is a publicly facing document advising potential and existing customers, website visitors, and others on the organization’s PII collection, use, and related privacy practices; more specifically, what categories of PII the organization is collecting and who it is collecting this data from; how it is collected, who it is shared with, what legal basis the organization has for collecting the data, when the data is purged, and what rights the data subject has regarding the collection and use of their data.

Considered a best practice, we believe an organization should publish a privacy notice in most cases, even where the law does not mandate it. Articles 12, 13, and 14 of the GDPR address the requirements of privacy notices.

At a high-level, a privacy notice should include sufficient information so that the data subject can understand what personal data is being collected, why it is being collected, what is it being used for, how long it is being retained, and the data subject can restrict the processing of her data and even withdraw her consent.

We note, however, many regulators consider privacy notices a contractual promise by the organization to the data subject. Therefore, a privacy notice must be both accurate and transparent. The GDPR requires plain-language privacy notices, void of legalese or terms buried in poorly-structured paragraphs. Furthermore, privacy notices should use definitive language - not qualifiers such as “may,” “might,” “some,” often,” ''usually,” etc., as these terms can be viewed by a regulator as purposefully vague.

Privacy notices should be conspicuously labeled as “PRIVACY NOTICE” and should be in writing, placed on the organization’s website (on the same page where data collection occurs) and be available orally upon request both to ensure adequate comprehension by the reader and to aid the visually impaired.

The following elements should be included in a Privacy Notice.

Contact information for the representative/data protection officer;
Purpose and legal basis for processing personal data;
The legitimate interests of the organization (or third party);
Recipient or categories of recipients of personal data;
Details related to any inter-country transfers of personal data, as well as procedural safeguards in place;
The duration that the data is being kept (retention period), or the criteria under which data is retained;
The existence of the rights of the person from whom data is collected (referred to as a data subject under GDPR);
The right to withdraw consent;
The right to initiate a complaint with the supervisory authority;
Whether the personal data pertains to a statutory or contractual right and the potential consequences for failing to provide the necessary data (this is not required if data comes from a third-party);
The existence of any automated decision-support/decision-making system; how the system has been set up, its overall process, and any resulting consequences;
If data is obtained via third-party, then privacy notice must advise the categories of personal data that is being collected; and
When the privacy notice was last updated.

Privacy Notice Challenges

Drafting and updating privacy notices are time-consuming and risky for a number of reasons. From a legal perspective, there are numerous country/region-specific privacy laws and a rapidly growing number of state-specific US privacy laws. As such, businesses operating in multiple jurisdictions may need to comply with more than just one privacy law/regulation. For instance, California has specific privacy notice requirements unique to that state. Many businesses do not have in-house privacy counsel to draft and maintain privacy notices and outsourcing such work to a law firm can be costly.

Furthermore, privacy notices are dependent on the business’s data. The categories of PII collected by a business, as well as the business's use of such data, often change as the business evolves. Maintaining an accurate manual data catalog and keeping the privacy notice synced with the business’s ever-changing data collection/processing is often an untenable task, even for small businesses. The bottom line is, a privacy notice is only as good as a business's understanding of its data assets to include PII provided by and shared with its customers, vendors, and business partners.

The above effort is even more complicated for larger businesses with segmented departments like product development, marketing, sales, etc., as each group has its own needs and purposes for collecting and processing PII. Moreover, a business can have multiple subsidiaries requiring the use of multiple websites, each with its own set of cookies and other data collection and user tracking technologies.

For the reasons outlined above, privacy notice management is a significant task. Relying on a manual process to do so is often time-consuming and tedious. Aside from the reputational risks associated with inaccurate or incomplete privacy notices, the business is further exposed to regulatory violations and related penalties when failing to have an accurate and transparent privacy notice.

How Advisori Can Help.

Advisori has the people, processes, and technology necessary to assist our clients with managing their privacy notices. Using Securti.ai’s secure privacy portal, we collaborate with all necessary stakeholders to assist in the selection of the appropriate privacy notices from our extensive template library. We then tailor the chosen privacy notice to business operations to ensure a regulatory compliant, accurate, detailed, and transparent public-facing Privacy Notice.

The first pillar of a strong data protection/privacy program is an effective data discovery and classification capability. Bottom line is, you have to know your assets in order to properly protect them.

In addition to the data protection benefits of data mapping, this exercise is often required by law. For instance, the EU’s General Data Protection Regulation (GDPR) requires covered entities to create what is known as a “Record of Processing Activities (ROPA).” More specifically, Article 30 of the GDPR requires a “data controller” to “maintain” a ROPA that identifies the following elements:

The bottom line is, the ROPA is an important undertaking as it gives companies a complete inventory of their data processing and provides an overview of precisely how personal data is being handled. From a practical standpoint, an accurate, updated, and comprehensive ROPA helps companies remain legally compliant, thereby helping them avoid sanctions, fines, or penalties that might be otherwise imposed under the GDPR.

Advisori understands that the development and maintenance of a ROPA, even for the smallest enterprise, is a significant undertaking. However, as data privacy laws grow and evolve, (e.g. GDPR, CCPA/CPRA) we believe that best practices dictate that even for those companies not required to build a ROPA, that doing so would aid in overall risk mitigation. As specified above, the process of building the ROPA requires a company to investigate and discover, with precision, the types and volumes of the data they hold and related data-processing activities, cross-boarder data transfers, and data retentions schedules. From there, companies must document their legal basis for collecting and processing all personal data they hold. Finally, they must accurately document what they are doing to protect such personal data.

We provide our clients with the necessary people, process, and technology to efficiently build and just as importantly, maintain an accurate, comprehensive, and current ROPA. Our DPOs have extensive experience building and maintaining ROPAs for business in all industries, operating around the world. Moreover, Advisori has partnered with Securiti.ai to provide our clients with the most advanced data mapping automation technology in the industry. Combining this technology with our mature and robust data mapping processes, our DPOs start with the creation and dissemination of user-friendly electronic assessments custom-tailor for our clients. These assessments allow us to quickly and efficiently identify business assets, vendors, and institutions holding or processing personal data. From there, we scrutize company assets for a precise and current data inventory and map these assets to processing activities. Where appropriate, we further assess this asset for privacy risks, which we then quantify and document, thereby allowing us to implement effective risk mitigation strategies.

When considering what a ROPA really is, one might surmise that this knowledge already exists organizationally and is readily available. That may be true for some companies; however, this critical information is typically siloed and lives within multiple knowledge bases, which are neither centrally maintained nor refreshed on a regular basis. Therefore, from a company perspective, automated data discovery and ROPA development just makes good business sense, irrespective of whether or not a regulatory body mandates it. Also, as consumers grow increasingly savvy and more “data-privacy conscious,” the smart play is to get in front of this now.

Contact the Advisori Team: we can get this process underway, and give you the people and tools you need to maintain compliance.

This fall begins a new journey for businesses transferring personal data outside the European Economic Area (EEA). On June 4, 2021, the European Union’s executive branch, the European Commission (“EC”), released their highly anticipated new and updated Standard Contractual Clauses (“SCCs”). The EC’s new SCCs are the result of the Court of Justice of the European Union’s (“CJEU”) Schrems II decision, which ultimately invalidated the “EU – US Privacy Shield” – a mechanism designed to regulate the flow of personal data from the European Economic Area (EEA) to “third countries” such as the United States.

Under Article 45 of the General Data Protection Regulation (“GDPR”), personal information can only be lawfully transferred to third countries that the EC has determined to have “adequate” privacy safeguards. Currently, this list of countries is just 13 and the U.S. is not one of them due to U.S. government surveillance laws. Instead, to facilitate commerce, the European Union and U.S. government agreed to the Privacy Shield framework. Until the CJEU’s Schrems II ruling, U.S. companies could self-certify under the Privacy Shield framework, allowing them to receive personal data transfers from the EEA. Prior to the Schremes II decision, the Privacy Shield and SCCs were the most commonly used data transfer mechanisms by U.S. companies.

SCCs are standard sets of contractual terms and conditions approved by the EC to which both the data “exporter” and data “importer” of EEA personal information must agree to before personal data can be transferred outside the EEA to third countries without adequacy decisions. SCCs have been in existence since 2001 and were amended first in 2004 and then again in 2010. The old SCCs were separate agreements: one for data transfers from controllers to controllers and one for data controllers to data processors. Many will find the new SCCs more user-friendly as they are contained in one document consisting of four “modules” for transfers from controller to controller; transfers from controller to processor; transfers to processor to processor; and transfers from processor to controller.

In addition to the new SCCs format, this new version incorporates Article 28 of the GDPR (the old SCCs were developed under the General Data Protection Directive – the GDPR’s precursor). Article 28 sets forth “technical and organisational measures” required for the transfer of personal information from controllers to processors and from processors to sub-processors. Under the new SCCs, the parties no longer need additional data processing agreements for data transfers to data processors.

While the CJEU did uphold the use of SCCs, the Court warned that the use of this data transfer mechanism was not sufficient – data controllers are still required to conduct a data Transfer Impact Assessment (“TIA”) – a case-by-case assessment of all cross-border transfers to ensure that the data protection requirements set forth in the SCCs can actually be met. Article 14 of the SCCs lays out the TIA criteria such as considerations of: 1) the “specific circumstances of the transfer (e.g., categories and format of personal information, the number of individuals involved, type of data recipient, the purpose of processing, etc.); 2) the data laws and practices of the third country of destination; and 3) any supplemental data safeguards needed to ensure compliance with the SCCs data protection requirements such as any additional contractual, technical, or organisational safeguards needed. Also critical to compliance, the data exporter must document its TIAs and make them available to the relevant supervisory authority when requested.

Should the TIA conclude that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR data transfer mechanism, data exporters must identify and rely upon supplementary measures, as mentioned above, to ensure that personal information is sufficiently safeguarded. For instance, the data exporter may install technical safeguards like data encryption or pseudonymization. The data exporter may also add additional contractual safeguards on the data importer such as requiring additional technical safeguards or requiring it to submit to audits. Finally, the data exporter may rely on organizational measures to enhance data transfer protections such as data transfer policies and procedures and data minimization/purging policies.

The old SCCs were repealed on September 27, 2021, meaning that all new cross-border data transfers must now be governed by the new SCCs. All existing SCCs will remain in effect until December 27, 2022 (and must be updated by that date).

Advisori has seasoned professionals who know the GDPR, understand the Schrems II decision, and have completed cross-border data inventories, data TIAs, and SCCs for EAA exporters and U.S. importers of personal data.

What is the difference between the CCPA and the CPRA?