Brexit, personal data, and the GDPR.Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens’ data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

COVID-19 remote work policyCOVID-19 is rapidly increasing the number of remote employees around the world.

For companies that already have a remote workforce, it’s just another day out of the office. But for a lot of businesses, this is new territory.

It’s hard enough to keep data secure when your employees are all in one place. Here are some tips and best practices to consider as you navigate the ever-changing situation regarding COVID-19.

Data Security and Remote Working Tips

#1: Talk to your employees.

Before you deploy your workforce to work remotely, hold a training. If they’re already at home working, host a digital training session.

Train your employees about cyber security. Be sure they know how to recognize hacking and phishing attempts that can put your company’s data at risk. Use this time to remind your team of best practices.

This includes:

  • Don’t use public WiFi without using a VPN. Check out our top 10 security tips for SMBs.
  • Pay attention to who’s around when working offsite. Be sure others can’t see your screen or watch you enter a password.
  • Don’t use personal devices for work.

#2: Maintain a team atmosphere.

While your team is working remotely, bring them together via a digital platform to give them timely updates and reminders. This will help keep data security top of mind and energy focused on work.

#3: Address software concerns.

Be sure your employees’ devices are as secure as possible with the proper software, firewalls, and connection securities required by your industry. You may also want to consider two-factor authentication for employee devices.

#4: Enable remote connections.

If your team can directly connect to the business network, there are fewer chances of a data security hack. Be sure your company has a process for this and your team knows how to use it. Things like VPN and intranets are helpful.

#5: Have a shut-down process.

You need to have a policy in place for when an employee thinks or knows his or her account has been compromised. Ensuring your team knows this protocol will allow them to act swiftly and limit data privacy and security concerns.

COVID-19: Reminding Us Why We Need a Business Continuity Plan

Another item to consider in the wake of COVID-19 is your Business Continuity Plan.

It’s one of those things people often don’t think about until it’s too late. If you aren’t familiar with the term, a Business Continuity Plan is a process that helps you create a system of prevention and recovery from potential threats to a company.

The plan ensures personnel and assets are protected and able to function quickly in the event of a disaster – in this case, COVID-19.

If you don’t have one in place, here’s a simple roadmap to get started and help prevent major downtime for your organization:

  1. Identify the scope of the plan.
  2. Identify key business areas to address in the plan.
  3. Identify critical functions of your company and team members.
  4. Determine the acceptable amount of downtime for each critical function.
  5. Identify crossover between business areas and functions.
  6. Create a plan to maintain operations.

While a strategic version of a Business Continuity Plan may be a long-term project for your company, now is as good a time as any to get started.

To save time, assign one piece of the plan to a few leadership team members and then come together to ensure it’s cohesive. It’s also important to train employees on their various roles and timelines should this plan need to be implemented.

If you don’t have a Business Continuity Plan, it can be difficult and, in some cases, nearly impossible to get your team and systems mobilized in the midst of a crisis. This can damage your reputation in the marketplace and cost you real money while trying to regain operations.

Additionally, the law requires nearly all businesses to have this sort of plan for emergencies. So if you don’t have one, you’re in violation of the law. And if you’re audited, you’ll be fined.

We all need a little push sometimes to take the time to do things we know need to happen but haven’t yet made a priority. Why not use this as your reason to create official policies and procedures regarding remote working and data security, as well as Business Continuity Planning?

As we all continue to navigate the balance between normalcy and safety during this pandemic, remember to keep data privacy top of mind for yourself and your employees.

If you want to talk about how remote working could impact your businesses functionality when it comes to data privacy, or if it’s time to dust off – or create – your Business Continuity Plan, contact Red Clover Advisors today.

Complete 2020 Privacy Compliance Checklist

Privacy compliance is no piece of cake.

In 2019 alone, the business world saw a shakeup brought on by  a slew of new state laws and year one of the General Data Protection Regulation (GDPR) implementation. 

And the companies that came out on top had a few things in common: transparent messaging to consumers, a privacy-centric re-brand, and tricked out privacy policies that used eye-catching marketing tactics. 

We know what it took to win at privacy in 2019. But what will privacy best practices look like in 2020 and how can brands – both big and small – get it right?

To answer that question, we’ve created an authoritative guide on what to expect in the year to come and a complete 2020 privacy compliance checklist to keep you on track.

Read more

The 411 on the CCPA.

What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year? 

That GDPR took longer than expected. 

Hopefully, they learned key lessons. They can leverage these as they face the challenges of the  fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.

That’s right. Their work is not done.

Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data. 

The question on everyone’s mind is how the two privacy laws differ.

Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.  

Regarding the collection and  sale of personal information, GDPR only allows companies to ask consumers to “opt in”  while California’s law enables consumers to opt-out.  Arguably, 

It’s the most important right the California Consumer Privacy Act provides to California residents. 

“Sale” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.”  It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.

 

The California Consumer Privacy Act is top-of-mind for businesses nationally and globally.

California is the fifth largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.

  1. May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
  2. September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
  3. October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
  4. January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
  5. On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.

Robust aptly describes the GDPR compliance process.  “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.

Back-up to the beginning for perspective.

In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018. 

Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn’t have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.  

So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.

 

Words matter in the CCPA.

We’ve already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.

The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
  • Controls or is controlled by an entity meeting the above criteria and shares common branding with

The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:

  • names
  • aliases 
  • addresses
  • emails
  • account names
  • social security numbers
  • medical information
  • passport details
  • IP addresses
  • phone numbers
  • PINs
  • geolocation

The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.

 

 

Understand that non-compliance can be extremely costly to your company. 

For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident. 

Doesn’t sound like much, right? That’s until you consider most privacy breaches involve hundreds of thousands of records. 

Even if you don’t have a data breach on your hands, you’re not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.

For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action. 

Companies have 30 days to “cure” (fix)  the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they’re anxious as they await the clarification of  the term “cure” as it relates to violations.

You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.

Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.

 

A CCPA readiness plan at your company should be underway.

Most companies surveyed said that it  took seven months or longer to wrangle their data into GDPR compliance.  A key issue was the lack of preparedness. 

For U.S. businesses specifically,  lack of experience was key. You see, European companies,  unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years. 

And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.

Take this big step now.

Create a data inventory by surveying all aspects of your business, from Marketing to IT  to Vendor Management and all points where you receive information from any source and in any format.  

There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.

Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties –  and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.  

That’s for starters.

 

Conclusion: These types of privacy law requirements aren’t going away. 

Let’s say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law. 

More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China

Our advice: Don’t reinvent the wheel every time there’s a new regulation. Don’t rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation. 

Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.

Schedule a short consultation with our team of experts today. 

We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time. 

 

Schedule a free consultation with Red Clover Advisors.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

95,000 complaints have been filed under the GDPR compliance law.

41,502 data breaches have been reported since it went into effect in May 2018.

And a $57 million dollar fine was levied at Google for failing to follow the mandate.

These are shocking numbers that should underline the fact that just because the deadline for GDPR compliance was a little over a year ago, implementation isn’t over yet.

Nor will it probably ever be.

That’s because parts of the GDPR mandate, including data inventories, aren’t projects to be checked off a list. Instead, they’re processes to be maintained and improved over time.

Your business changes over time. And a lot of time – a whole year – has gone by since GDPR went into effect. You likely added new vendors, collection points and processes. 

All that needs to be captured in your data inventory.

And while it’s time for you to dust off GDPR compliance best practices for all areas of your business, one of the most important is an accurate set of data inventories. 

What Is a Data Inventory?

Data inventory. Data mapping. Records of processing activities. Article 30 report.

If any of these sound familiar, then they all do. That’s because they all refer to the same thing, what GDPR calls a data inventory.

Data inventories help companies understand the data they have from start to finish. It includes all the third-parties the company uses and all the systems on which they rely.

It means that you know what specific pieces of information you’ve collected about each person and exactly where each of those pieces of information are stored. 

Data inventories are critical. 

They significantly influence the way you construct your privacy notice and individual rights process and policy. There’s no way to create these documents when you don’t know what data you have, how it’s being used, and where it’s stored. 

And those are the exact items you need to include in your policies.

Data inventories also advise companies to what information they actually need to be collecting. With GDPR in place, it’s a risk to collect and store data you aren’t using. It’s more of a benefit to only ask for the information you need for operating purposes from users.

Reviewing your data will tell you if you’re collecting too much data versus not enough.

Collecting the Minimum Amount of Data

Data minimization – only collecting the minimum amount of information you need – isn’t just a nice suggestion.

In reality, it’s the basic privacy mantra required by GDPR: Collect only what you need for business purposes.  

What’s the thought process here?

The GDPR believes the more data you have, the higher responsibility of your organization to protect it. In other words, more data = increased risk.

And let’s be honest, no business wants increased risk.

This can bleed into other areas of compliance, too. For example, after completing a data inventory, one company identified the sales team was sending emails manually through Outlook. 

At first glance, it’s no big deal. 

But when you consider this prevents any kind of tracking of data – specifically email opt outs – a picture starts to form about why this process is dangerous.

GDPR absolutely requires automatic opt-outs. Outlook, like all other email clients, doesn’t support this functionality.

The solution to this problem was to move to an email service provider (ESP). This software allows you to segment, send more efficiently, and most importantly in this case, provide a GDPR-compliant unsubscribe option. 

The point isn’t just that you’ll be following GDPR by using an ESP to send all your sales, marketing and customer emails. 

It’s that the company pinpointed this massive shortcoming by executing a data inventory.

Being Smart About Vendor Selection

One of the most underrated and perhaps largely unknown values of doing a data inventory is identifying quality and reliable third-party solutions.

If you choose your vendors out of a hat and hope for the best, you’re not alone.

But hope isn’t a good strategy when choosing a third-party solution. 

After all, these will be the people who act as an extension of your team, who might handle sensitive information and important details. 

Data inventories can help you vet your options.

And they can help you choose the ones who will be compliant with privacy laws.

Conclusion: Data Inventories are Critical to Privacy Compliance

So what’s the big deal with data inventories?

Companies need to maintain quality data inventories to comply not just with GDPR. They’re also helpful for pending laws such as CCPA and others coming down the pipeline. 

All the privacy laws primarily have to do with protecting personal data. And you can’t be compliant if you don’t know what data you collect, store, and use. You also have to consider that there are slightly different definitions of what constitutes “personal data” under different privacy laws, e.g. CCPA.

It can get a little overwhelming.

That’s why we created comprehensive resources in everyday language like the GDPR Checklist & Workbook and the CCPA Compliance Guide. They’re designed to help you tackle these privacy updates in the least amount of time, effort and expense.

And if you need a helping hand when it comes to updating existing data inventories or just getting started with data mapping, schedule a time to talk to one of our experts.