Red Clover Advisors and OneTrust Partner To Offer Privacy Management Tools

OneTrust’s powerful suite of privacy management technology allows Red Clover Advisors to bring best in class technology and advisory services to serve small and middle market businesses

Red Clover Advisors, a national consulting firm advising businesses on operationalizing privacy as a competitive advantage, today announced a partnership with OneTrust, the largest and most widely used dedicated privacy management technology company. Red Clover Advisors can now provide further value to its clients through this partnership with OneTrust.  

“Global privacy compliance especially under the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) should be a key priority for organizations today,” said Red Clover Advisors CEO and Privacy Consultant Jodi Daniels. “Understanding how to start complying with privacy laws, building a sustainable foundation, and extracting value through good privacy practices are essential especially for small and middle market businesses. Our partnership with OneTrust enhances the services we provide to our clients.”    

Red Clover Advisors’ relationship with OneTrust will enable consultants to leverage the full OneTrust software platform including Assessment Automation (PIAs/DPIAs), Data Inventory Mapping, Cookie Consent and Website Scanning, Data Subject Requests/Consumer Rights Requests, Universal Consent Management and Incident & Breach Response..  

Since CCPA is coming in six months, now is the time for companies to get started understanding their readiness and begin their data mapping activities.  “Red Clover Advisors can use the OneTrust Assessment Automation to create a baseline for what a client’s next steps are per the law’s requirements. The Data Mapping tool will help companies document in a central repository the data elements, flow of data through the organization, security measures and any identified risks” said Ms. Daniels. “Compliance with CCPA and GDPR also requires ongoing maintenance such as updates to the data inventories. OneTrust’s software makes it simple to use assessments to identify any updates necessary and changes can easily be made in the data mapping module.” 

“Together with Red Clover Advisors we can help their clients address challenges, mitigate risks and create a foundation for privacy compliance,” said Alex Anderson, Business Development at OneTrust. “This partnership will provide small and medium sized businesses deeper understanding about their privacy compliance needs and develops a right-sized practical approach to serve them.  Bringing together OneTrust technology and Red Clover advisory supports these businesses as they develop a dynamic privacy program that adapts to the changing privacy regulatory environment.”

For more information about how Red Clover Advisors’ can support your company complying with GDPR, CCPA, or other US privacy laws, please visit www.redcloveradvisors.com

About Red Clover Advisors

Red Clover Advisors creates customized and affordable privacy programs to fit the size and diversity of each business. Red Clover Advisors, a certified Women’s Business Enterprise, is a privacy consultancy dedicated to understanding the ins and outs of balancing customer data collection and use, GDPR, CCPA, and US privacy law compliance, operationalizing privacy, digital governance, online data strategy, and much more. Red Clover Advisors makes the most complicated data privacy practices simple, helping businesses build trust with their customers.  Red Clover Advisors believes privacy is just good business.

About OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management. According The Forrester New Wave™: GDPR and Privacy Management Software, Q4 2018, OneTrust “leads the pack for vision and execution.” Additionally, Fast Company named OneTrust as one of 2019’s World’s Most Innovative Companies.  

More than 2,500 customers, both big and small and across 100 countries, use OneTrust to implement their privacy, security and third-party risk programs, automatically generating the specific record keeping needed to demonstrate compliance with privacy regulations including the EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world’s privacy laws. 

OneTrust’s 700 employees are located across co-headquarters in Atlanta and in London with additional locations in Bangalore, Melbourne, Munich and Hong Kong. To learn more, visit OneTrust.com or connect on LinkedInTwitter and Facebook

# # #

Red Clover Advisors Media Contact: 

Jodi Daniels

+1 404-964-3762

jodi@redcloveradvisors.com

OneTrust Media Contact: 

Gabrielle Ferree

Public Relations

+1 770-294-4668

Media@OneTrust.com

/by

More than a Sweet Piece of Data: Marketing in the New Age of Doing Business


Photo by Kristina Flour on Unsplash

Are you someone willing to take the easy way out?

What if you knew you could get away with it?

Just a few shortcuts and you’re the envy of your fellow entrepreneurs. A few things that aren’t quite playing by the rules, but no one has to know that. For now, anyway.

If you want to be more than a one-hit wonder, you already know what to do. Just because you can, doesn’t mean you should. 

I know, privacy came in and messed up the marketing campaign you so meticulously designed. That list you worked so hard to build? Whether it was 50 or 50,000 deep, each and every one of those people had to opt in again before you could contact them. 

Ouch. 

You grumble about the hassle of it, but we both know that isn’t really the problem.

It’s how vulnerable we are when we have to ask that question. 
Again.

Yes means we’ve done well and held our subscriber’s interest. We’ve sent engaging material and offered more value than we’ve asked for sales.  

No? Not the end of the world, but a reminder to do better.

This is your chance to do it and stop praying for a shortcut. Don’t tell me that’s all you’ve got.  

The new privacy laws meant rethinking all of our campaign strategies. We had to pull back and re-evaluate how to maintain our reach and consider new ways to grow it. And while you might hate me for saying it, this is actually a good thing

Emailing people who don’t want to hear from you is a waste of money. If you lost half your list, consider it a chance to invest in a more compelling campaign, language that will engage your subscribers and encourage new ones. Getting kicked out of your comfort zone is going to be the best thing that’s ever happened to you. 

It means you’ll finally stop doing the same old song and dance everyone is doing.

How many times have you cringed at yet another email from someone whose list you never remember signing up for? How frustrated were you when, after scanning the email, there was no obvious way to unsubscribe?  

We want to be treated like more than a piece of data and so do our customers. This all-too-familiar scenario is a lose-lose for both parties. Trust me, you don’t want to be that guy.  

Ad tracking helps us learn about what our customers are interested in, but it is the equivalent of online stalking. I owe it to you to at least let you know that every step you take, every move you make, I’ll be watching you (couldn’t resist that Police song reference!). 

And if I don’t? The real life equivalent would look something like this:

  1. I follow you from your house to your job taking note of everything you do along the way.
  2. I peer in through the window while you work to watch what you look up on your laptop and phone. Devious cackle optional.
  3. I hang out at the coffeeshop across the street that you go to on your lunch break so I can pretend to run into you and take note of what you eat and drink so when I do it tomorrow it looks like a coincidence that we like the same things.
  4. I show up at the gym you hit after work and write down what brand of trainers you’ve got on, what kind of bottled water you drink, and what you’re listening to on your headphones.
  5. When you get home, you open your mailbox to find ploys to buy things exactly like everything you ate, drank, watched, listened to, or wore throughout the day in language similar to how you speak.

How awesome is that? 

Rather than turn your nose up at privacy, you have the chance to see the value in boundaries, rise to the challenge and let it make you more innovative. Build trust with each customer that continues to grow with your business. 

“Are you someone I can trust?” is the question every potential customer has as they scroll through your website. 

It’s time you make sure your yes is loud enough they can hear it. 

/0 Comments/by

Marketers Selecting a CDP Must Consider Privacy

Check out Jodi Daniels article in AdExchanger on what marketers should consider when selecting a CDP.

/0 Comments/by

5 Reasons Privacy Is More Than A One Trick Pony

[et_pb_section fb_built=”1″ _builder_version=”3.0.47″][et_pb_row _builder_version=”3.0.48″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.0.47″ parallax=”off” parallax_method=”on”][et_pb_text _builder_version=”3.0.74″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]

If you haven’t begun to consider privacy beyond the GDPR checkbox, take ten minutes to read this before you smugly announce you’ve “done that already”. These five reasons could not only save you the hassle of being oh-so-very-wrong, when treasured like a secret weapon they will become your competitive advantage.
 
Navigating privacy can be daunting, but the bottom line is this: if you let the ball drop, you have more than just vague fines to worry about. All the companies taking this seriously already recognize it’s a bargaining chip and have no problem flaunting it.
 
Clients naturally find this irresistible. They like knowing they’re worth more than the data they provide and that you wouldn’t dream of putting their sensitive information at risk.
 
And if you prove them wrong? One of your competitors will snap them up before you can find another word for sorry.
 
Welcome to a new age of doing business.
 
 
Privacy is part of our DNA. 
 
Forget the business stuff for just a second and think about it. Privacy is a basic human right we feel entitled to. If you share sensitive personal information about yourself and believe it will stay between us, and I then share this with your neighbors, the elderly couple on the bus, and anyone who offers me a few coins for it, I bet you’d be pretty angry. In fact, you’d probably regret trusting me in the first place, and be reluctant to do so again.
 
The very same thing holds true for how you handle the information your customers share with you to engage with your products. Think they won’t find out? Eventually someone will gossip or drop a glove where they shouldn’t. Do yourself a favor early on and bank on something you naturally feel good about.
 
Do more than the bare minimum. 
 
When in life is this not the case?
 
Being ahead of the ever evolving privacy laws and the minimum standard requirements is always going to be sweeter than being behind. It means being seen as a thought leader and an innovator in your field. It means the chance to corner the market in your niche because you’re being proactive.
 
And being behind? Shifty eyes. Excuses. Lost opportunities. Maybe even jail time, depending on how crooked your path becomes.
 
Looking to get ahead but don’t know where to begin? I’m glad you’re here. Keep reading or bookmark this for later when you’ve got more time to spare. You’ve got this.
 
Just because you can, doesn’t mean you should. 
 
Can you get still get away with it? Maybe. But if your customer expects xyz and you give them x followed by p and q just because it makes your life easier, they’re going to start raising eyebrows. Wouldn’t you?
 
Rather than trying to sneak something by, take time to brainstorm another way to get it done. This is where brilliant deviations are born. These are kind of ideas that will set you apart and become practices you’re proud to share with your clients and your following, rather than praying they never pay enough attention to see how well you’ve really got it together.
 
Make it a core value of your brand.
 
Think about what kind of data you’ll be collecting and who you’re targeting. That’s not so hard, right? Now take this information and put it into a Privacy Impact Assessment which will ensure that you’ve got all your i’s dotted and t’s crossed.
 
If you work privacy into the foundation of what you’re offering, when you have something new to launch, you’ll have all the pieces in place to be able to do so right away. And if you don’t? Think mad dash to bring your marketing, privacy policy, and staff training in line at the last minute, and delays which could give your competitor time to take the lead.
  
Be Transparent. 
 
Once you clean up any messes going on behind the scenes, give your copy a makeover as well to reflect the changes you’ve made. Don’t hide behind vague words like the shy kid who doesn’t want to be called on in class. You aren’t that kid anymore. You’ve got something to say and a reason to be loud about it.
 
Be bold. Raise your hand. Use a larger font. Your clients are going to love the chance to get to know you better, especially when it shows just how much you value them and what you’ve gone through to prove it.
 
Wondering how solid your privacy program really is? Need some solid tips to figure out how to create one?
Get yourself a complimentary evaluation. It’s privacy’s equivalent of several deep breaths. No matter where you’re at, it’s not as hard as you think it is to get to where you need to be. We’ll do it together.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

/by

CCPA 101: The Clock is Ticking & How to Comply before 2020

California Consumer Privacy Act (CCPA) is top of mind for so many companies small to enterprise. We’re still in the early stages of getting ready for CCPA and I was fortunate to be featured on the National Technology Security Coalition (NTSC) blog.

Curious what you should do now to get on your CCPA journey? Check out the original blog post here!

In 2018, the General Data Protection Regulation (GDPR) in Europe became one of cybersecurity’s hottest buzzwords and made top headlines everywhere. If you are ready for a new privacy buzzword in 2019, the California Consumer Privacy Act (CCPA) will be your topic du jour. Passed in June 2018 with an effective date of January 1, 2020, the CCPA is the most comprehensive general data privacy bill of its kind to pass in the United States at a state level. CCPA increases the transparency of the collection and selling of physical and digital data. Under CCPA, California residents will now have more choices and control over what happens to their personal information that companies collect.

While the California State Legislature may amend CCPA prior to its effective date, steps exist that companies should take now to comply and prepare for January 2020. In this article, we’ll lay out the CCPA fundamentals and a 10-step plan companies should follow.

CCPA Fundamentals

Unlike GDPR, CCPA contains minimum thresholds businesses need to meet for the law to apply. CCPA covers for-profit organizations doing business in California that collect consumers’ personal information and that meet one of the following criteria annually:

1. Exceed $25 million in gross revenue.

2. Buy or receive the personal information of 50,000 or more consumers, devices, or households (such as website traffic).

3. Derive 50% or more of their annual revenue from selling consumers’ personal information.

Fines

Companies can be assessed civil penalties of up to $2,500 per violation, or up to $7,500 for intentional violations. An often overlooked section of CCPA is that statutory damages can consist of the actual damages or fall between $100 and $750 per California resident per incident, whichever is greater in the event of a data breach where the “nonencrypted or nonredacted first name or initial with last name plus other data such as an account number is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the company failing to implement reasonable security measures.”

Coverage and Personal Information

CCPA covers consumers and, as currently written, also includes employees. Like GDPR, CCPA expands the common definition of personal information used in state data breach statutesCCPAdefines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Examples of personal information (CCPA excludes deidentified or aggregate consumer information) include the following:

  • Geolocation data and inferences extracted from data: Using someone’s precise location data without permission expressly granted or using an IP address to track users.
  • Unique personal identifiers such as cookie numbers or a company devised number.
  • Browser or search history.
  • Biometric data such as fingerprints or an eye retina scan.
  • Professional or employment-related Information such as salary, title, or certifications.
  • Psychometric data such as information gathered from aptitude or personality tests.
  • Audio and visual data such as data from audio or video files.
  • IP addresses: If an IP can identify a household, it may be considered personal data.

A few central themes emerge with CCPA including providing notice to customers about data processing, honoring individual rights, and ensuring companies take data protection seriously. Below, we will break out these main focal areas and explain what it means for companies:

  • Privacy Notices: Companies will need to update privacy notices to specifically state what data is collected, categorize the data collected, explain the purpose for the data’s use, identify third parties with which that data is shared, and communicate the rights available to an individual.
  • Individual Rights: One big difference between GDPR and CCPA is that CCPA gives consumers the specific option to opt out of their data being sold. If a consumer opts out, companies cannot penalize or discriminate against them by charging a higher price or servicing them differently unless a company can prove that the difference in charging a certain price or offering a specific service is reasonably related to the value provided by the data sold. For example, if the service offered to the customer is $10 and the customer opts out of the sale of their data, the company cannot charge $20 unless the customer receives $10 of additional value. This piece of the regulation is one of the areas where privacy professionals and businesses are asking for more clarity from the California Attorney General during their current open comment sessions.
  • Consent, Children, and Sale of Data: Companies that collect data and sell it to third parties, and especially those that sell children’s data, will have to make specific changes. If data on children is collected and sold, additional requirements exist. Data collected on children under the age of 13 requires opt in with parental consent. Data collected on children between 13-16 requires opt in consent from that child. A company must also include a link on the homepage (or another option such as a toll-free phone number) where a user can opt out of the sale of data. Once received, companies must manage the opt out request within 45 days. Companies will need to create a process that addresses removing this individual for purposes of data sales from its databases, spreadsheets, and any associated third parties.
  • Security: The CCPA also requires businesses to maintain reasonable security procedures. As noted above in the fines section, civil damages and a private right of action can occur in the event of a data breach if the company is found to have not employed reasonable security measures.

Next Steps for Companies to Comply with CCPA

To get started on your CCPA compliance journey, follow these 10 steps as a guide.

1. Start now to plan a CCPA compliance strategy.

The CCPA will take effect in11 months. Remember the massive panic in companies scrambling last April and May to get ready for GDPR? Don’t wait until the end of the year when the busy holiday season means employees focused on wrapping up year-end activities. Create a plan now that considers company meetings, holidays, and big initiatives.

2. Identify a lead sponsor and cross-functional team.

Complying with CCPA will require input initially and on an ongoing basis with departments such as marketing, product, IT, HR, finance, customer support, security, privacy, and legal.

3. Determine needed resources.

Begin to determine what resources (such as software tools, attorneys, and consultants) will be required to help with compliance.

4. Start the data mapping process.

Understand what data you collect that qualifies as personal information, where it is located (including with any third parties), and for what purpose it is used. For any company that did a data inventory to comply with GDPR, companies need to ensure those processes reflect the United States processing activities and see if any changes are needed. The data mapping exercise is really important, especially to determine if data collected from children is currently sold. If so, obtaining the appropriate consents will be required and can take time.

5. Understand how to handle individual rights requests.

To effectively honor individual rights requests, businesses will have to know where the data resides and create a strong process to funnel the request through various departments. Much like incident response plans are tested, individual rights plans will also need to be simulated. Determine what the company will do if a request comes in from someone who is not a California resident. Will the company honor all requests only if the individual is a California resident? If so, what will the response to that individual say? Many companies are finding that it will be operationally easier to apply the CCPA as a denominator and honor all individual requests in compliance with CCPA. If a company created individual rights processes for GDPR, they will need updating to reflect the ability to opt out of the sale of information. It is highly encouraged that companies test these processes just like practicing an incident response plan.

6. Draft privacy notices.

A privacy notice tells the company’s story about what data is collected, how it is used, who it is shared with, and what choices an individual has about their data such as the right to access or delete personal data. An accurate privacy notice can be completed only after performing the data inventory work. Specifically, CCPA requires a privacy notice be provided at or before the point of collection that informs consumers as to:

  • “The categories of personal information it has collected about that consumer.”
  • “The categories of sources from which the personal information is collected.”
  • “The business or commercial purpose for collecting or selling personal information.”
  • “The categories of third parties with whom the business shares personal information.”
  • “The specific pieces of personal information it has collected about that consumer.”

In the privacy notice, the company needs to list all individual rights available to the consumer and the steps they can take to request these rights. If the company sells data, the company will need to update its website by including a “Do Not Sell” link on the homepage and include in its privacy notice all the methods available to an individual to opt out of the sale of data.

It is important to remember that if a business collects data for one purpose, it is prohibited for using the data in a manner not disclosed by that purpose. Businesses may need to make other disclosures that the privacy and legal teams will need to consider based on the business’s data processing activities.

7. Strengthen security measures.

CCPA requires “reasonable” security measures. Teams need to perform a comprehensive review of their security program and determine what changes are needed appropriate to the type of data collected and stored. Updates could include additional proactive monitoring software, hardware, headcount, encrypting or redacting of data, or even personnel changes.

Security teams will need to understand the full lifecycle of a data record, which may include service providers or third parties such as SaaS tools where data is entered and stored. Performing a thorough privacy and security assessment for each service provider will help mitigate any mishandling of personal data.

Companies also need to review data breach plans to identify necessary changes. It’s critical that companies practice their response to a data breach plan. A data breach simulation brings together all the key decision makers in the event of a data breach and ensures that the plan works. Pilots practice in flight simulators. Schools and workplaces practice fire drills. Similarly, companies need to practice responding to incidents such as a data breach to help identify missing components during a scenario when no pressure exists.

8. Review training programs.

Review existing training programs and determine if there are any needed enhancements. As employees often move between roles, it will be imperative to train employees and create an accurate standard operating procedure (updated as the business process changes) for honoring individual rights. This is a great opportunity to extend annual training modules to also include quarterly security and privacy reminders.

9. Create or update privacy programs.

Create or update the company’sprivacy program so data inventories, the privacy notice, and any process changes affecting the ability to honor individual rights always accurately reflect the business’s activities.

10. Prepare for future privacy laws and regulations.

Get ready for the next privacy regulation such as the State of New York evaluating a law similar to CCPA, a federal privacy law such as the American Data Dissemination Act introduced in January 2019 by Sen. Marco Rubio (R-FL), the Data Care Act introduced by more than 15 Senators in December 2018, model legislation introduced by Intel in November 2018, and Brazil’s General Personal Data Protection Act (Lei Geral de Proteção de Dados or LGPD) taking effect in August 2020.

As you can see, more privacy regulation is on the way beyond the CCPA. Getting started now to understand how you collect, use, and share data, identify policy gaps, and create sustainable processes will make compliance less cumbersome and provide you an opportunity to create stronger privacy and security programs.

If you have a thought on what you want to hear about privacy, reach out to jodi@redcloveradvisors.com. Jodi Daniels is Founder of Red Clover Advisors, a data privacy consultancy that assists companies with GDPR compliance, operationalizing privacy, digital governance and online data strategy. www.redcloveradvisors.com or Jodi@redcloveradvisors.com

/0 Comments/by

Privacy Day 2019!

I had the privilege of writing a piece for ITSP Magazine on Privacy Day 2019 and what companies should be doing the other 364 days it isn’t Privacy Day. Check it out here!

/0 Comments/by

What You Need to Know about CCPA

[et_pb_section fb_built=”1″ _builder_version=”3.6″][et_pb_row _builder_version=”3.0.48″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.6″ parallax=”off” parallax_method=”on”][et_pb_text _builder_version=”3.6″]

The California Consumer Privacy Act of 2018 is the most comprehensive general data privacy bill of its kind to pass in the United States at a state level. Its purpose is to increase transparency when it comes to the physical and digital data collected and sold.

Under CCPA, customers will now have more choices and control over what happens to their personal information and increased security in their online engagement.

Wondering if CCPA will affect your business? Let’s take a look.

CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:

1. exceed $25 million in gross revenue;
2. buy or receive the personal information of 50,000 or more consumers, devices or households (such as website traffic);
3. or derive 50% or more of their annual revenue from selling consumers personal information.

Under CPPA, personal information includes, but is not limited to:

  1. Geolocation Data and Inferences Extracted from Data – Using someone’s precise location data without permission expressly granted or using the IP address to track users
  2. Unique Personal Identifiers (e.g., cookie numbers or company devised number)
  3. Browser or Search History (e.g., recipes, local doctors)
  4. Biometric Data – (e.g., fingerprints or eye retina scan)
  5. Professional or Employment-related Information – (e.g., salary, title, certifications)
  6. Psychometric Data – (e.g., info gathered from aptitude tests or personality test)
  7. Audio + Visual Data – (e.g., data from audio or video files)
  8. IP addresses – If an IP can identify a household it may be considered personal data

CCPA will require businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers will be given a clear choice to opt out of their data being sold—and if they do, companies cannot discriminate against them by charging a higher price or servicing them differently, unless they can prove the difference is reasonably related to the value provided by the data.

To understand this better, consider a company sells you a service for $10/month and it sells the data you provided to sign up for this service just because it fancies earning a little extra money. The value in the service to you, the customer, is still $10. If you decide to opt out of this, the company cannot turn around and charge you $50/month now to cover their loss from the data unless they provide $40 worth of extra value.

A company can, however, still offer financial incentives to consumers to make use of their personal data more enticing to them, such as $10 off the first month, or a complimentary add-on service for a limited time.

“So what does this mean and how will it affect my business?”

This means that your IT team will need to know where a customer’s data is being held at all times now so it can be removed if someone requests it. This may require you to reconfigure your existing systems and processes. For all new data collected, I recommend building this into the design of the system from the beginning.

Your Marketing department will also need to know exactly what data you collect, how it is used and where it is shared so this is accurately reflected in your privacy notice. As your business grows, you will need to revisit this periodically to make sure these changes are reflected here as well.

For more information on CCPA and how to make it your competitive advantage, check out 5 Reasons CCPA Should Already Be On Your To-Do List.

Wondering how solid your privacy program really is? Or could it be, if you’re honest, you’re not sure you have one at all? Schedule your complimentary evaluation today and wherever you’re at, we’ll get you where you need to be.

Making sure your brand is one your customers can trust is the most important investment you can make in your business. It will make the difference between customers that come and go and customers who have no reason to look elsewhere.

Which would you prefer?

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

/by

5 Reasons CCPA Should Be on Your To-Do List Now

[et_pb_section fb_built=”1″ _builder_version=”3.0.47″][et_pb_row _builder_version=”3.6″][et_pb_column type=”4_4″ _builder_version=”3.6″][et_pb_text _builder_version=”3.6″]Much like with GDPR, CCPA may not be among the aspects you’re most eager to dive into when it comes to your business. Getting ahead of the game, however, will not only save you the unnecessary stress, and higher price points, that come with scraping it together at the last minute, it can also easily become your competitive advantage if you start early.

If your business collects personal data on California residents, there are some adjustments you may need to make in how this is done. This article will walk you through a few reasons why it’s better to start planning for it now.

1. You’ll know now what data you collect, where you store it, how you use it, where you share it.

Under CCPA, you’ll need to create a privacy notice for your business and you won’t be able to do this if you don’t know what data you are collecting and where you’re storing it. This is also an important part of managing your obligations under individual rights.

Consumers will now have the ability to bring what’s called a right of action against a company if they allegedly fail to “implement and maintain reasonable security procedures and practices” and it results in a data breach. In some instances, a user might even be able to sue the company.

By performing a data inventory, it will help you decide what you no longer need and get rid of it. Repetitive operations that are costing you money that could be better used elsewhere? Gone. Likewise, you may discover data you didn’t even realize you had, and be inspired by it in ways you never could have imagined. Think privacy and innovation aren’t inextricably connected? Think again.

The value of data cannot be underestimated—and you cannot comply with the laws or use it to your advantage in your business without understanding yours.

2. You’ll know what changes you need to make if you sell data.

In order to keep selling data in California under CCPA, you’ll need to put a button or link on your site in an obvious place titled “Do Not Sell My Personal Information” so visitors are able to opt out of the sale of their data. Once this is in place and someone enters their information, you’ll also need to know exactly what happens to it next to make sure it is stays separate from those who don’t opt out. The sale of data will need to be built on an individual level now, or you’ll need to adjust your current process so it functions in under these new parameters.

The bottom line is you won’t know what you need to change until you have all the information in front of you to analyze. Even if you decide, in the end, the cost isn’t worth it to keep selling data, there is still work you’ll need to do in order to close the process down before the law goes into effect.

3. You’ll have plenty of time to educate your workforce which is essential to compliance.

Privacy needs to be an integral part of how you project and operate your entire business, if it wasn’t already.

Your product and marketing personnel, and anyone else who handles data, need to know what the privacy notice says, and know how this actually applies within your day to day operations. Everyone is a steward of data—and you won’t be able to manage any of the individual rights properly if your staff is conflicted on how that even works.

Without the same basic understanding of the privacy changes, regardless of position, you run the risk of someone making an uninformed decision that could lead to a costly breach.

4. You can announce compliance ahead of your competitors.

Privacy is a differentiator. Many well-known and highly respected brands have created pages on their websites announcing how they’re handling and managing privacy before anyone has to ask. Apple is a notable example. They went above and beyond what was required to be compliant and created a separate page dedicated to explaining how they thought through privacy and specifically worked it into their hardware and software in the design phase.

If you’re forward thinking and openly address potential concerns with your customers before they arise, you will stand out from all your competitors who can’t be bothered.

Customers will appreciate your transparency. A bolder approach that shows people you value them more than the data they give you. Wouldn’t you prefer to handle privacy in the same way as some of the world’s most trusted brands?

5. You can begin budgeting for it now.

Understanding exactly what you need to do now will give you time to gather the funds you need to make the necessary changes. The last thing you want to do is be figuring this out right before the deadline, which is next year’s holiday season.

A few questions you may want to consider to determine your budget:

1. Who do I need to help me figure this out?
2. How much time do I need internally?
3. Do I need to adjust internal resources?
4. Which software do I need? How much time will I need to consider my options so I pick the right one and don’t make any rash decisions?
5. How many people do I need to train on this?

Wondering how solid your privacy program really is? Or could it be, if you’re honest, you’re not sure you have one at all? Schedule your complimentary evaluation today and wherever you’re at, we’ll get you where you need to be.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

/by

Top 10 SMB Security Tips 2018

[et_pb_section fb_built=”1″ _builder_version=”3.0.47″][et_pb_row _builder_version=”3.0.48″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.0.47″ parallax=”off” parallax_method=”on”][et_pb_text _builder_version=”3.6″]

Not-so-fun fact: 61% of security breach victims are small to medium sized businesses according to Ponemon Institute’s 2017 State of Cybersecurity for Small and Medium Businsses.

Not what you expected, right?

Many people think that cyber criminals only set their sights on the major players and wouldn’t waste their time with a little guy like them.

I invite you to think about this a little deeper for a moment.

That’s like saying petty thieves only break into lavish mansions, often guarded by a pack of hounds and a wrought iron fence, rather than trying their luck with a more accessible average apartment window. With cyber security breaches on the rise, we all have to step up and make sure to keep what we’ve built safe.

Below is a list of what I recommend to all of my clients—from solopreneurs to multi-million dollar corporations—to make sure they’re protected no matter what

1. Install antivirus and anti-malware programs on all devices.

  • Avast Endpoint Protection Suite Plus (This is what Red Clover Advisors uses)
  • Bitdefender for Business
  • Cyberghost VPN
  • Kaspersky Small Office Security for Business
  • Avira Antivirus for Small Business

2. Be able to detect phishing schemes—and make sure anyone who works with your data can also. Do not open attachments, click on links, download programs, or provide personal information of any kind if something feels off about the website.
You can read more about how to detect a phishing email here.

3. Secure your mobile devices. Use tracking software or apps to locate and wipe a lost device, if need be.

  • Miradore Online
  • SureMDM
  • Apple Business Manager (for Apple users)

4. Password-protect all wireless networks, even if you are in a private area. You can also opt to hide the network name for additional security. If you’re prone to working in a cafe, or on any unsecured public network, be mindful not to conduct any transactions that require sensitive information, such as credit card numbers, confidential client data, person health information, or the like.

5. Be sure to back up all your data to reputable cloud companies and external hard drives when appropriate.

  • Red Clover Advisors Cloud Tip: The more places you have your data stored, the more susceptible your data is to a data breach so don’t go overboard. If you do use multiple cloud storage providers, be aware that you’ll need to know how to easily access each of them to honor individual rights requests under GDPR or the impending CCPA (California Consumer Privacy Act effective January 2020).
  • Dropbox
  • Box
  • Amazon
  • Google

6. Maintain updates on all software and ensure your website is secured with https to keep your data safe from hackers and let your customers know what they share is protected. You can learn all about why https is an absolute must for all credible online businesses here.

7. Create strong passwords and use several different ones across all your sites. Strong passwords contain symbols, upper and lower case letters, and numbers. Password generators are a good option to help you do this. I highly recommend using LastPass to make it easy to manage all your passwords once you’ve created them.

8. Use Two Factor Authentication (2FA) whenever possible. 2FA is an extra security layer that requires you to enter a onetime passcode to access the account each time you log in. You can enable this for Google, LinkedIn, Facebook Financial accounts, and many others.

9. Encrypt your laptop and ensure that your email is encrypted as well. You can learn more about how to encrypt your laptop here.

10. Secure your router so that hackers can’t access it, even if they try. Your router and and ISP should provide detailed instructions on how to make sure your connection is secure.

** Red Clover Advisors Bonus Tip: Invest in a VPN.

VPNs or Virtual Private Networks are an added layer of protection that guarantee you an encrypted connection no matter where you are. I recommend these to all my clients, especially if you find yourself traveling often for work, or working from public WIFI connections. Even if you’re not traveling much, a VPN at home is still useful to ensure your private browsing experience stays that way. You can learn more about all the awesome things a VPN can do for you here.  Check out this useful article on why you need a VPN at home.

A few VPNs I recommend:

  • Cisco’s Quick VPN
  • VyperVPN
  • NordVPN

Wondering how solid your privacy program really is? Or could it be, if you’re honest, you’re not sure you have one at all? Schedule your complimentary evaluation today and wherever you’re at, we’ll get you where you need to be.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

/0 Comments/by

California Passes New Privacy Law and What It Means for Your Business

[et_pb_section admin_label=”section”]
[et_pb_row admin_label=”row”]
[et_pb_column type=”4_4″]
[et_pb_text admin_label=”Text”]
California adopted what is considered the strictest general privacy and data security law (also known as AB 375) in the country, called the “California Consumer Privacy Act” (CCPA) on June 28,2018. The Act becomes effective on January 1, 2020. There is likely to be changes to the final version prior to actual implementation.

CCPA in several sections resembles the General Data Protection Regulation, GDPR which began enforcement May 25, 2018. It is being called by some as a “mini-GDPR.”

The California Consumer Privacy Act of 2018 is the most comprehensive general data privacy bill of its kind to pass in the United States. There is significant focus in the bill about data that is sold and also highlights the increasing amounts of data that is collected and used in the digital economy. The bill covers all data, not just digital data.

CCPA requires businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers can opt out of the data being sold. CCPA provides a limited private right of action for violations and statutory damages, including for data breaches resulting from lack of reasonable security.

CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:
1. exceed $25 million in gross revenue;
2. buy, receives, sells, or shares the personal information of 50,000 or more consumers, devices or households;
3. or derive 50% or more of their annual revenue from selling consumers personal information.

Some of CCPA’s highlights include:
Definition of Personal Data: The definition of Personal Information is expanded and broadly defined. Personal information includes but not limited to, geolocation data and inferences extracted from data, unique personal identifiers, browsing and search history, biometric data, professional or employment related information, psychometric data, audio, visual data, and IP addresses.

Access and Individual Rights: It grants consumers a right to know the categories and specific pieces of personal information that a business has within the past year collected, sold to a third party, or disclosed to another person for a business process. These requests must be honored within 45 days with possible extensions.

Like GDPR, consumers will have the right to request that businesses delete personal information. Consumers will also have the right to request their personal data be ported to take it elsewhere.

Unlike the GDPR, recordkeeping is not specifically specified. However, to meet many of CCPAs requirements, a business will need to document their data processing activities.

Children: Under CCPA, businesses cannot sell the personal information of children under 16 years old unless the child affirmatively authorized such sharing of data via an “opt-in.”

Privacy Notices: Businesses will be required to make various disclosures in their privacy policies, including a consumer’s individual rights per CCPA and how a request can be made; the categories of personal information collected, sold or disclosed to third parties in the preceding 12 months, or a disclosure that data is not sold

Selling Information: If a business plans to sell personal information, there must be a link titled “Do Not Sell My Personal Information” clearly labeled in the privacy notice that allows consumers to opt out of the sale of their personal information. Consumers should not need to have an account to opt out of the sale of their personal data.

For Consumers who request their data not be sold, companies cannot discriminate against them by charging them a different price or servicing them differently unless the difference is reasonably related to the value provide by the data. Financial incentives to consumers to collect their personal data is allowed.

Financial Damages: CCPA provides a limited private right of action for plaintiffs in the event of a data breach. Before a consumer receives those damages, a consumer would have to provide a business with written notice and a 30-day “right to cure” any alleged violation for statutory damages (but not actual damages). Second, the consumer must notify the Attorney General within 30 days that an action has been filed where the Attorney General would then have 30 days to review the request.

Once both conditions have been met, a consumer may then seek to recover damages in a minimum of $100 and maximum of $750 per incident (or actual damages, whichever is greater), plus injunctive or declaratory or other relief. If the company is found to have intentionally violated the CCPA, the business may be liable for up to $7,500 per violation.

How Businesses Can Prepare Now
1. Conduct a privacy assessment and document data processing activities for the data collected, used, disclosed and or sold.
2. Identify all the impacted stakeholders including marketing (this will impact the ad-tech activity), IT, business development, product development.
3. Review if you need to make any technological changes to comply with the law
4. Determine if a process should be updated or created to address California access requests such as an online portal or the opt-out webpages.
5. Discuss how any third-party agreements will need to be updated.
[/et_pb_text]
[/et_pb_column]
[/et_pb_row]
[/et_pb_section]

/0 Comments/by