Instant Messaging Apps that values Privacy and Security

There have been mixed emotions and voices with regards to the privacy and safety of users’ data on platforms owned by Mark Zuckerberg – especially WhatsApp and Facebook.

A recent update to WhatsApp’s privacy policy states that that all the Metadata of its users can be shared with other apps – meaning that WhatsApp will monitor a user’s online activity, save for the conversations which are end-to-end encrypted. 



Continue reading »

10 GDPR fines and what to learn from them

Recently I was looking at fines for GDPR breaches to get better understanding on data protection landscape at the moment. I selected 10 from just December 2020 and January 2021 which were biggest or most interesting. There are more loud fines being issued already in February which I did not include in the list. But I am sharing my observations and takeaways in hopes you will find them interesting and useful, too.

1) Germany: €10.4M fine against notebooksbilliger.de for employee video monitoring without a legal basis

Fine: €10.4 million

The Lower Saxony data protection authority issued a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis. DPA noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.

The DPA stated that, in order to prevent theft, a company must first examine milder means, such as random bag checks when employees are leaving the business premises. In addition, video surveillance to uncover criminal offences is also only lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary. In addition, the DPA outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

Takeaway

  • Video monitoring is particularly privacy invading processing and requires thorough evaluation of purpose, necessity, proportionality, location of cameras, records retention etc.

Press release: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html

2) Spain: AEPD fines CaixaBank €6M for consent and information failures

Fine: €6 million

A customer and non-profit organization alleged that the bank’s framework agreement prevented customers from negotiating the terms of their contracts and forced them to consent to the processing of their personal data. The AEPD agreed with the complainants stating that the evidence the bank brought in their defence was imprecise, vague, not uniform and did not provide sufficient justification for their legal basis for data processing and transferring data to third parties (including other companies within the CaixaBank Group).

Takeaways

  • Consent must not be forced upon customer; invalid consent means illegal processing of data.
  • Processing based on legitimate interests must be justified.
  • Information on processing activities and data retention must be precise and provided in uniform manner.
  • Also data transfers within group must comply with GDPR requirements.

The fine represents the largest financial penalty issued under the GDPR by the AEPD to date

AEPD decision: https://www.aepd.es/es/documento/ps-00477-2019.pdf

3) Spain: AEPD fines BBVA €5M for GDPR information and consent failures

Fine: €5 million

The Spanish data protection authority (AEPD) fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) €2 million for a violation of transparency principle – it provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through products, services, and channels, – and €3 million for failure to obtain consent before sending promotional SMS messages to a customer, and did not have in place a specific mechanism for consent to be obtained.

Takeaways

  • Transparency about processing activities is one of pillars of GDPR compliance, so is obtaining proper consent where necessary.a

AEPD decision: https://www.aepd.es/es/documento/ps-00070-2019.pdf

4) Sweden: Companies fined for no risk analysis regarding the access to data

Fines:

  • Capio St. Göran: €2,9 million (SEK 30,000,000)
  • Aleris Sjukvård AB: €1,5 million (SEK 15,000,000)
  • Aleris Närsjukvård AB; €1,2 million (SEK 12,000,000)

The Swedish DPA fined medical companies Capio St. Göran, Aleris Sjukvård AB and Aleris Närsjukvård AB for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.

Takeaway

  • Access management is must have in any IT system holding personal data; access to data has to be granted based on what is required for work and principle of minimum access.

Decision: https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-capio-st-gorans-sjukhus-di-2019-3846.pdf

5) Poland: Virgin Mobile Polska fined for not having regular testing of technical measures

Fine: €460,000 (PLN 1.9 million)

Polish DPA stated that the company infringed the principles of data confidentiality and accountability by not carrying out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. The vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

Takeaways

  • Data security is permanent, continuous process, not a one-off activity.
  • All data transfers between applications must be secured and properly tested.

More information: https://edpb.europa.eu/news/national-news/2021/polish-dpa-virgin-mobile-polska-incidental-safeguards-review-not-regular_en

6) Ireland: DPC fines Twitter €450,000 for breach notification and documentation failures

Fine: €450,000

Twitter was fined for not timely informing DPA about data breach that resulted from a bug in their software that “protected” tweets public without user’s knowledge. A third-party security company discovered the bug and informed Twitter.

The DPA found that twitter did not comply with its obligations to notify a personal data breach within 72 hours of becoming aware of it. It also found that Twitter had breached its obligations to document personal data breaches.

Takeaways

  • The data controller is considered to be aware of data breach at the moment it or its data processors determine that incident might have GDPR implications.
  • Data controller must ensure that its data processors inform about potential data breaches in timely manner.
  • All data breaches (including non-reportable ones) must be properly documented.

Decision: https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf

7) Poland: UODO fines ID Finance Poland PLN 1M for inadequate technical and organisational security measures

Fine: €250,000 (PLN 1 million)

ID Finance (owner of a lending platform MoneyMan.pl) failed to implement adequate technical and organisational measures to ensure the security of data. The company had not responded to indications about security gaps and that an unauthorised person had subsequently copied and deleted the data in the company’s server also demanding a ransom. The breach had taken place following a failed attempt to restore appropriate security configuration and that the controller, despite being notified about the vulnerability from cybersecurity specialists, failed to exercise due diligence with respect to its security systems and its processor.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured.

In calculating the fine, Polish DPA took into consideration, among others, the scale of the breach and the controller’s delay in taking appropriate remedial action.

Takeaways

  • The controller must be able to detect, address, and notify data breach – this is a critical element of technical and organizational measures.
  • Any indications or information about possible technical issues must be taken seriously, investigated and addressed in timely manner.
  • Delay in response of service provider is not an excuse for data controller.
  • The way controller reacts to incident is taken into account by DPA when deciding on fine.

More info: https://edpb.europa.eu/news/national-news/2021/polish-dpa-id-finance-poland-checking-potential-system-vulnerabilities_en

8) Czech Republic: UOOU fines 11 organisations CZK 3.1M for unsolicited postal marketing

Fine: €119,000 (CZK 3.1 million)

Czech DPA fined 11 organisations for sending unsolicited postal marketing messages to citizens’ mailboxes. DPA stated that the possibility of sending postal messages free of charge until the end of the Coronavirus pandemic emergency period was abused for the purpose of sending marketing messages. DPA highlighted that the organisations processed data subjects’ personal addresses without a valid legal basis. Moreover, the organisations did not provide data subjects information on the commercial use of their data at the time of the first communication.

Takeaways

  • Availability to process data does not mean legality of processing – all requirements must be met, including: legitimate purpose, legal basis, proper information to data subjects etc.

Press release: https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=47199

9) Romania: ANSPDCP fines Banca Transilvania RON 487,380 for inadequate security measures

Fine: €100,000 (RON 487,380)

Romanian DPA fine Banca Transilvania SA for inadequate security measures that led to the breach of confidentiality and failure to secure data. Investigating a complaint DPA found that a listed document containing a client’s statement, as well as an email containing the internal conversation between the company’s employees was posted on Facebook and a website.

Takeaways

  • Company is responsible how its employees process personal data.
  • Sufficient security measures must be put in place to safeguard data from misuse and illegal disclosure.

Decision: https://www.dataprotection.ro/?page=Comunicat_17_12_2020&lang=ro

10) Spain: AEPD fines Vodafone €90,000 for GDPR accuracy and security violations

Fine: €90,000

Due to an error in system, clients of Vodafone España were shown data of other customers. The Spanish data protection authority (AEDP) fined Vodafone España for violations of the data accuracy principle, and the integrity and confidentiality of personal data.

Takeaways

  • Data security and proper access management is important part of any IT system, as failure may lead to data breach.

AEPD decision: https://www.dataguidance.com/sites/default/files/ps-00415-2020.pdf

Conclusions

What we can se is that million euro fines for GDPR breaches are becoming a norm. At the same time it is still not clear how those fines are calculated as they seem to be scattered “all over the spectrum” even when it comes to large companies. Nevertheless, fines are for breaches of basic principles.

Lawfulness.

Processing of personal data has to be necessary and proportional. Just because you can collect data does not mean you should. Further, if you relay on consent as legal basis for processing of data, ensure it is lawful and fits all GDPR requirements. Otherwise look for different legal basis. Still, also legitimate interests as legal basis needs careful justification.

Transparency.

Be open about how you process data. Make this information easy to obtain and understand. This task, however, may not be so easy to achieve – especially if processing is very complex.

Security.

Companies gave to implement appropriate organisational and technical security measures. While it is open for discussion what that means exactly, there are some basic requirements:

  • Take data security seriously. If something can go wrong, chances are – it will. If somebody points at weaknesses – better check it twice.
  • Access management – ensure data is accessed only by authorised personnel and only on a “need-to” basis.
  • Implement tools and processes that allow detection of data breaches. Your data processors and employees is your problem. Ensure your agreements have proper clauses and instructions are followed.
  • Regularly test and review your security measures – it is recurring not “done and forget” process.
  • Document all your activities – what you have implemented and how you tested it.

Looking back at data protection in 2020

Last week we celebrated Data protection Day. So this is right moment to look back at previous year, how it changed, and also try to predict future developments. All statistics comes from DLA Piper GDPR fines and data breach survey: January 2021.

Regulators have been more active with fines

We saw that data protection authorities are getting up to speed with GDPR enforcement. EUR 158.5 million of fines imposed since 28 January 2020. That is 39% increase compared to just over EUR 114 million in the previous 20-month period since GDPR came into force in 25 May 2018. Without doubt, time of warnings is over and authorities expect companies to be fully compliant.

But let’s look deeper what where companies fined for, which were most active DPAs and highest fines for GDPR non-compliance.

What were the biggest GDPR fines in 2021?

The highest GDPR fine to date remains the EUR 50 million imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

The second largest fine is EUR 35.26 million imposed by the Hamburg data protection supervisory authority on a global retailer H&M for failing to have a sufficient legal basis for processing.

Third – Italy’s data protection supervisory authority fined a telecommunications’ operator TIM SpA EUR 27.8 million for a number of breaches of GDPR, including breaches relating to transparency obligations, failing to have a sufficient legal basis for processing personal data, and inadequate technical and organisational measures, and breach of the principle of privacy by design.

While biggest fines are impressive, in most cases they are far from maximum 4% of global turnover of companies.

What was the most common GDPR breaches in 2021?

Most fines are for violation of basic GDPR principles that are here since times of Directive 46/95/EC adopted back in 1995. While notable exception could be compliance with data breach notification requirement which was introduced with GDPR, it is evaluated in the context of failure to implement appropriate security measures.

Failure to comply with the transparency principle

Authorities have paid attention to violations of the lawfulness, fairness and transparency principle (Article 5(1)(a) GDPR making it priority. Many companies got fined for not having privacy policies or proper notices in place, or scattering information in many documents making consumers hard to find required information. Also Google’s EUR 50 million fine was for breach of transparency principle.

Failure to demonstrate a lawful basis to process

This is cornerstone principle – any processing of data must have lawful basis. In some cases, the supervisory authority concluded there simply could not be any lawful basis for the processing in question. In other cases the controller failed to demonstrate evidence of the lawful basis, chose wrong lawful basis that could not be applicable in the case, or failed to obtain GDPR compliant consent.

Failure to implement appropriate security measures

Controllers must ensure that processing is secure – no unauthorised persons can access data, systems and processess are monitored, any data breaches are quickly identified and addressed. In practice it is no easy task to achieve. But effort is what counts.

Breach of the data minimisation and data retention principles

Many companies still collect too much data. Sometimes it is just that processes were built that way (more is better) without giving a thought about data protection. Legacy systems are not so easy to re-build, dealing with non-structured data is hard. And in many cases that is not so obvious what is appropriate amount of data to collect.

Regulators aren’t always right

Supervisory authorities didn’t have everything going their way, though. Several high profile fines were overturned in courts or significantly reduced. That show there is plenty of room for disputes regarding how to apply GDPR.

UK’s ICO significantly decreased fines for Marriott International (from £99 million down to £18.4 million) and British Airways (down to £20 million from £183).

A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation’s federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.

Also Austrian supervisory authority’s headline EUR 18 million fine imposed on Austrian Post was overturned by the Austrian Federal Court in december.

Consumer organizations test their powers

This year we saw increase in court cases and complaints brought by consumer protection organisations. So noyb brought 101 compliant to 27 EU data protection authorities regarding non-compliant transfer of data out of EU. Later noyb also sued Luxembourg’s Data Protection watchdog for refusal to act on US companies.

British Airways is potentially facing the largest privacy class-action lawsuit in UK history over its mass customer data breach that affected 400,000 people, according to a law firm involved.

This year for sure will bring just increase in activities of consumer organisations which target not just companies for non-compliance but also supervisory authorities for lack of action.

Increase in reported data breaches

For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day. That is 19% increase compared to previous year’s 278 notifications per day.

I think there are 2 possible reasons for such increase:

  1. Better awareness of companies regarding identification and reporting obligations. Companies get more educated both in importance to have proper tools to get alerted on incidents, and their obligations to report data breaches to authorities. Also, increased DPA activities regarding fines for failing with reporting obligations may play a role.
  2. Increased cyber-security risks. Last year was special for companies as most of them moved to remote work. Neither companies nor employees were ready for such shift. Work from home put data under increased risk as employees used their own (often unsecured) equipment for processing data or made data available to their household members. And, of course, cyber-criminals were more active than ever to use this new situation for their own gain.

Thus, I am of opinion that in 2021 we will see further rise in reported data breaches. For many companies there is still much of work to do to address risks created by remote work – both technologically as well as in training of employees.

Takedown of Privacy Shield

CJEU’s decision to repeal Privacy Shield was probably loudest data privacy case in 2020. Not just in EU but especially in US. Moreover, the decision impacted all data transfers outside EEA to countries without “adequate data protection” as court noted that any such transfers must be scrutinized and derogation measures can’t be applied just formally. Companies are required to evaluate legal regime of data importer countries and how it can apply to specific data transfer- huge burden for companies. In addition, technical measures (as encryption) must be used to secure data.

Brexit

Both EU and UK companies and privacy experts were closely watching Brexit negotiations to understand whether any additional safeguards are to be applied to data transfers or they can continue as used to. The solution was found at last minute and was .. to give additional 4-6 months to find a solution. Some relief to companies but uncertainty is till there.

New data protection guidance from authorities

There are still many open legal questions and uncertainties in the interpretation and application of GDPR. It will take time to clear them out. Therefore any new guidance is welcome. Both local authorities and European Data Protection Board (EDPB) were actively working on new GDPR guidance.

Also, CJEU issued several notable decisions on data protection and e-privacy questions, deciding, for example, that:

In November European Commission released a draft set of new Standard Contractual Clauses (SCCs) that will replace long outdated existing ones.

The hard work on GDPR guidance will continue this year, too, of course. And there are some new decisions expected also from CJEU to shed a light problematic issues of GDPR application.

Conclusion

While the big “hype” in public around GDPR is settling down, privacy and data protection is not going away. On contrast – we see that both data protection authorities and consumer organisations are getting more sourced and knowledgeable to bring data protection to next level. Companies should play along and keep their processes compliant.

Atis Gailis is European Union based GDPR and IT law expert.

1 Cybersecurity Tips for Device Protection

An antivirus is a tool that performs frequent checks on your device to rid your system of viruses, malware, and spyware. It is considered a tool that every cyber security-aware user should possess. However, considering the ever-evolving digital threats we face everyday, this cannot be the sole security software you have on your devices.



Continue reading »

Can Data Protection be Guaranteed with the use of Facial Recognition Technology?

Facial recognition technology has undoubtedly brought convenience to our daily life. However, facial recognition protests have also been ignited. The clamors were for the right to remain anonymous in crowds and the freedom to protest without individuals being flagged or tracked down. For the government, it was a matter of surveillance for state security.

Use Cases of Facial Recognition

It is very apparent that the biometric application used to identify or verify an individual’s identity using their face has become rather commonplace in our daily activities. On social media, this technology is used for tagging people in photos and in mobile devices, a form of security. In countries like China and USA, some airports use this technology to check people in and to monitor the attentiveness of pupils in classes.

Bypassing Privacy Regulations

Due to the significant absence of stringent regulations so far, private and public parastatals in both authoritarian and democratic states have been using and abusing this technology in several use cases. There is yet to be a standard agreed upon in many societies as to the ethics pertaining to the use of facial recognition, thereby breeding doubts regarding compliance with the established laws and more so, the probability of whether or not the technology will survive the critics on its ethical use.

At first glance, the intended use of the recognition technology seems harmless – to verify identities against a presented face at national borders for identification and security. However, to identify a person by comparing their facial image against a pool of several other known individuals speaks to another level of intrusion.

Drivers of Facial Recognition Trend

There are two major drivers behind this technological trend.

The first driver is security. Countries are poised to aggressively protect their borders mostly from foreigners who might pose threats of crime and terrorism to them. Facial recognition helps provide such amount of security – scrutinizing each face and comparing it to a database of wanted individuals.

The second driver is convenience. In this regard, physical and mental efforts required to perform some tasks become automated. With facial recognition, people can easily gain access to anywhere or anything by a simple facial scan – no need to provide any form of ID or document. In mobile devices especially, users no longer have to remember their passwords. A quick glance at their camera would unlock their device and of course, this can only be done by the device owner.

Jumping the Hoops of Privacy Laws

The issues with this technology are almost in violation of the EU data protection rights or better still, are the exploitation of grey areas.

The first is the fact that according to the GDPR Art. 2(14), the data protection rule allows the use of biometric data for the confirmation of identity with that of the natural person. It however forbids the use of this data for unique identification purposes except under special conditions in Art. 9(2).

Secondly, the use of this technology which might tend to interference with human rights must be deemed necessary and this really begs the question, is there no better technology that can be used to achieve just what facial recognition technology does without breaking fundamental human rights?

Third, the methods by which data is being collected and used is tainted with obscurity. No one knows for sure who collects this data, how long they are kept, how to trace the origin, and many more. The use of this technology does not do well with accountability and transparency.

Living with Privacy Infringement

Given the aforementioned, the onus lies on all and sundry to clamor for clear and concise laws regarding the acquisition, use, and storage of data. It is pertinent that these laws touch every corner and leave no grey area that can be exploited by these private and public institutions. Asides this, it is essential that Internet users read privacy policies and understand the agreement before deciding to share their personal data with them. This would go a long way in reducing personal data exploitation.

Data Protection Day 2020

On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe?s data protection convention, known as ?Convention 108?, was opened for signature. That was first legally binding international law in the field of data protection. Data Protection Day is now celebrated globally and is called Privacy Day outside Europe.



Continue reading »

COPPA Compliance ? Steps by Companies to Protect Children?s Privacy

The Children?s Online Privacy Protection Act (COPPA) is a law created by the Federal Trade Commission to protect the privacy of children, specifically those under the age of 13. This legislation mainly requires parental consent for the collection or use of personal information of children and then outlines the responsibility of companies and websites in order to best protect these children.

The law was passed to address the growth of online marketing techniques that targeted children due to their lack of understanding of the potential negative outcomes of revealing their personal information online. In order to comply with COPPA and rightfully protect children?s personal information, companies are held to high standards in their practices. If your company falls under the scope of COPPA, the following steps will help you comply with this federal law.?

1. Clearly Display Parental Consent Options.?

Parental consent is necessary if your site engages with users under the age of 13 who may share their real identity with other users. In order to provide this consent, parents must submit a signed consent form, make a monetary transaction, call a toll-free phone number, or show identification to the company. Make these options easily accessible for the parent on the company?s website or app. Clear displays of this compliance will ensure your company is following COPPA law. 

2. Implement Information Security Procedures.?

COPPA mandates that organizations implement and maintain information security procedures in order to carry out its laws. Some steps towards these secure procedures include ensuring that third parties to whom children?s personal information is released also have the capacity to maintain the security and confidentiality of this information. Your company might have the means to protect this data but ensuring that the entities the information is shared with are also capable of this level of protection is vital. 

3. Securely Dispose of Unnecessary Data.?

If your company does not need to retain certain personal information, security procedures for properly disposing of this data are crucial. Personal information should only be retained for as long as reasonably necessary, and once said data is not needed, it should be properly disposed of. Unsecure disposals of information which are then attained by other entities could lead authorities back to your company, and ultimately your company may be deemed non-compliant with COPPA. If possible, minimize the amount of personal information collected to avoid problems like these. 

3. Honor Parents? Rights Regarding Their Children?s Information.?

Even if you have the parent?s consent, it is still important to recognize that they have ongoing rights to their children?s information. If a parent asks a company to do so, the company must allow them to review the personal information collected, provide them a way to revoke their consent, and delete their child?s personal information upon request. COPPA provides extensive protection for children and their parents and allows for revocation of consent no matter when or how the consent was originally provided. No data collected is as important as maintaining a good relationship with consumers and adhering to COPPA.  

COPPA is intent on protecting children under the age of 13 and will certainly crack down on companies who do not implement or maintain procedures to comply with the law. These 4 steps will go a long way towards preventing your company from violating COPPA and towards helping you protect children.??

oneDPO

OneDPO
At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale. www.onedpo.com

Processing Consumer Data Subject Requests Under CCPA: What Are Best Practices?

Along with the celebration of the New Year on January 1st, 2020 comes the implementation of the California Consumer Protection Act (CCPA).  This date is approximately 10 weeks away, but preparation for these new privacy laws must begin now.  In order to make sure your business is fully primed for this new landscape brought by the CCPA, here are the best practices when processing consumer data subject requests. 

Don?t Make It Hard on The Consumer.   

The CCPA lays out clear requirements of businesses for accessibility for the consumer, such as toll-free phone number and a ?Do Not Sell My Personal Information? link provided on the businesses? website.  These two methods are designated for submitting disclosure requests.  Follow the guidelines and do not add extra steps.  Complicating this further could result in fines. 

Have Clear Internal Policies and Procedures. 

When processing the consumers? request, it is important to include all of the proper information.  This involves, but is not limited to, who is responsible for collecting the data, reviewing it, removing the information that does not need to be disclosed, and fulfilling the request.  This should be standard procedure recognized by the entire organization.  This information then needs to be delivered precisely, followed by documentation of the company?s process.  One can never be too organized and careful.    

Be Transparent in Policy Language 

Starting on January 1st, 2020, businesses must provide their consumers with information relating to these new regulations.  Prior to January 1st, companies should be ready with updated privacy notices that clearly state how the CCPA affects their information collection and their consumers? privacy.  Once these notices are sent to consumers, formal documentation of these processes should be added on the company website.  It does not hurt to be over prepared for these new procedures required by the CCPA.   

Include All Required Information/Data. 

When dealing with private data that is then shared with a consumer, all requirements under the CCPA must be met.  This can include the category of the information, the specific pieces of personal data collected, the sources from which the data is collected, and the purpose of such data.  The business must be transparent and honest, regardless of the possible reaction by the consumer.  Furthermore, third parties with which the data is shared must be covered and the practices with which the company conducts the collection of the personal data stated.   

Include the Data Processors in The Mix. 

Once a consumer data deletion is requested, the business must now log this into the company?s database and then to it?s service provider.  The service provider must now be compliant with CCPA regulations during the business?s user data collection.  The provider is also liable to civil penalties for noncompliance under the CCPA.  In order to properly work alongside your service provider, notify them of your processes and procedures that will be implemented.  Working hand-in-hand with the provider will assure that neither you nor them are held as noncompliant.   

Implement and Maintain Security Practices. 

Review the company?s current security system and conduct exercises to simulate possible breaches.  If the security withstands and is successful, maintain the current system.  If there is any fault or mishap, implement new practices, software, hardware, etc.  The CCPA may entice hackers, as there are new clear pathways to obtaining personal data.  Consult with others in the industry to find the best way for storing, securing, and then accessing information collected.  Regularly review the practices and make sure all employees are aware of the guidelines in order to close all possible loose ends.    

The CCPA will require an approved budget, processes, and tools in order for organizations to properly function under these new regulations.  These 6 practices are vital steps for the well-being of your company moving forward! 

oneDPO

OneDPO
At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale. www.onedpo.com

1 2 3 10
>