Privacy Services

NOTE: The various new privacy laws sometimes cause folks to feel overwhelmed. While it is true that there are some new privacy requirements for businesses, please remember that both privacy and cybersecurity are about the same thing--DATA PROTECTION. If your company has a good cybersecurity program that starts with a data inventory and data mapping, then it is already doing 80-90% (in our estimation) of what might be required to meet new privacy requirements.

For the latest information, please see our new report: Privacy Laws--An Executive Overview.
Check out our new privacy video: Understanding Privacy Laws--An Essential Guide.

                                        ___________________________________________________________

Recent privacy laws in the United States and Europe are granting citizens new data privacy ownership rights such as:

• The right to request a copy of the personal information you have collected about them
• The right to a copy of that personal information in a readily useable format that enables a consumer to transmit that information to another entity without hindrance
• The right to the deletion of all personal information that a business has collected, subject to certain exceptions
• The right to opt-out of your sale of a person's personal information to another

Under some of these new laws, businesses that collect and sell citizen's personal data (PII and NPI*) now must assume the role of a "data fiduciary". That means that your company is bound ethically and legally to act in the customer's best interests. As such you will now have new and important responsibilities for processing and protecting that data such as:

• Protecting all personal data with "reasonable" (i.e. standards-based) cybersecurity systems
• Verifying the identity of cititzens wanting to exercise their data rights
• Responding to citizen data requests in a short timeframe (this varies by jurisdiction)

In order to do the above, the first step is to create and maintain a data inventory, including data shared with third parties, data stored in the cloud and data stored on employees computers.

Some of these laws/bills give consumers the right to sue you if you breach any of the rules of that state's privacy law - without having to prove they were harmed.

NOTE: The new laws are changing very fast. Please check back frequently to keep up with new laws and enforcment dates.

The CyberCecurity LLC standards-based Privacy Compliance Program is designed to comply with the California Consumer Privacy Act (CCPA), Nevada Senate Bill 220, the General Data Protection Regulation (GDPR) and any other anticipated state and federal privacy laws. While the specifics of each law are different and will require minor adjustments, the basics of all of these laws are approximately the same.

Typical steps for building a compliant Privacy Program include:

1. Build the Privacy Team and identify and assign responsibilities.
2. Determine if the company qualifies for any exemptions.
3. If not exempt, then determine which data elements may be exempt from any applicable regulations
4. Create an inventory of all data elements that your organization collects, purchases, trades, acquires or stores.
5. Perform a data mapping exercise to determine and visualize specific privacy related data origins, locations, and flows.
6. Build and deploy a Privacy Practices Policy & Procedures.
7. Incorporate privacy training into existing security awareness training. 
8. Support company counsel as they draft external facing company privacy policies.
9. Update the current Vendor Cyber Risk Management Program.
10. Develop and implement a test plan for public facing and employee privacy related activities.

CyberCecurity, LLC can help your company build a Privacy Program that is in full compliance with these and other privacy regulations. Please call 303-887-5864 today for more information.

* For a full discussion of Non-public Information and Personally Identifiable Information, go HERE.