Nymity Framework: Privacy & Data Protection Update in 7 States

TrustArc
TrustArcTrustArc
© 2023 TrustArc Inc. Proprietary and Confidential Information.
Nymity Framework: Privacy
& Data Protection Update in
7 States
2
Speakers
Meaghan McCluskey
Associate General Counsel, Research,
TrustArc
Daniela Sanchez
Privacy Research Lawyer
TrustArc
Agenda
○ State privacy landscapes and updates
○ Multi-state compliance challenges
○ Effective privacy risk management
○ Insights into coming changes and
preparing for the evolving landscape
○ Q & A
Poll Time!
What is your organization's
biggest challenge when it comes
to multi-state data privacy
compliance?
5
State-Specific Privacy Landscapes and
Updates
6
State-Specific Privacy Landscapes and
Updates
7
State-Specific Privacy Landscapes and
Updates
8
State-Specific Privacy Landscapes and
Updates
● Texas is the only state that applies to individuals
● Scope: Apply to organizations ‘doing business’ in the state or
‘actively engaging in any transaction for financial or pecuniary gain
or profit’
● California - Explanation in other Californian Laws
○ Tax Code: actively engaging in any transaction for the
purpose of financial pecuniary gain or profit
○ Company must register with the California Secretary of State
as a non-California company
○ Subject ot court jurisdiction
● Other indicators:
○ Incorporation
○ Location
○ Employees’ or
○ Consumers
● CPPA explanation = plain language
9
State-Specific Privacy Landscapes and
Updates
10
State-Specific Privacy Landscapes and
Updates
Connecticut: Health information protection
● Prohibition - using a geofence to establish a virtual boundary that is within 1,750 feet of any mental
health facility or reproductive or sexual health facility;
● Consent required to sell or offer to sell consumer health data;
● Prohibition to provide access to employees or contractor (exceptions apply)
California, Colorado and Connecticut: Non-monetary considerations are recognized as sales. Other states
require valuable or monetary considerations.
Tennessee:
● Affirmative defense available for organizations facing enforcement under this act - organizations can
argue that they maintain a privacy program that reasonably confirms to the NIST Privacy
Framework.
Florida: Apply mostly to big tech companies and include very specific requirements:
● Right to opt out of the collection of personal data collected through the operation of a voice
recognition or facial recognition feature;
● Prohibition of using voice recognition feature, a facial recognition feature, a video recording feature,
an audio recording feature for surveillance purposes, unless expressly authorized.
Oregon and Delaware: Third party lists
● Obtain a list of the specific third parties to which the controller has disclosed the consumer’s
personal data.
11
State-Specific Privacy Landscapes and
Updates
12
Multi-State Compliance Challenges & Best
Practices
● Compliance Challenges:
○ Information and individuals moving through the states make it difficult
to identify when and to whom to recognize rights provided by state
laws.
○ Global Privacy Control (GPC)
● Faced by Organizations Operating in Multiple States:
○ Cost and efficiency to determine which requirements apply in each
jurisdiction where the organization operates;
○ Constant implementation of new measures to meet ongoing legal
requirements;
○ Uncertainty created by the evolving landscape reduces innovation.
● Strategies and Best Practices to Ensure Regulatory Adherence:
○ Data Mapping: Data flows
○ Broad and Proactive approach to compliance
13
A Framework Approach to Privacy Management
14
Nymity Privacy Management and Accountability Framework
● Menu of more than 140 privacy management activities
● Created in 2014, released publicly in 2015
● Updated in 2016 to reflect GDPR developments
● Updated in 2023 to reflect NIST Privacy Framework, AI, current reality:
○ Integrate privacy into the Data Ethics/Stewardship program
○ Integrate privacy into the System Development Life Cycle
○ Maintain policies/procedures for algorithmic accountability
○ Use interoperable frameworks to monitor and report on privacy risks
15
What is your
Resource Profile?
● Low Resources “part-time privacy”:
○ Single individual for whom the role of privacy officer is a
secondary role (limited time)
○ Financial constraints
○ Lack buy-in
○ Perceived low risk
● Medium Resources:
○ Buy in from the operational and business units;
○ Full time privacy officer and/or culture of compliance;
○ Processing as a core activity;
○ Contractual obligations;
○ Major project as a driver.
● High Resources:
○ Buy in from board or executive level;
○ Funded privacy officer;
○ Resources and responsibility are allocated;
○ Follows recommendations from lawyers and consultants.
Resources are the people,
processes, technologies and
tools that help you do your job
17
Resource-Driven Privacy Management Strategy
Low - Policy First Medium - Governance First High - Inventory First
Assign responsibility for data privacy to an
individual (e.g. Privacy Officer, General Counsel,
CPO, CISO, EU Representative)
Assign responsibility for data privacy throughout
the organization (e.g. Privacy Network)
Maintain an inventory of personal data and/or
processing activities
Maintain a data privacy policy and Maintain a
privacy notice
Conduct regular communication between the
privacy office, privacy network and others
responsible/accountable for data privacy
Classify personal data holdings by type (e.g.
sensitive, confidential, public)
Conduct privacy training Incorporate data privacy into operational training,
such as HR, marketing, call centre
Maintain documentation of data flows (e.g.
between systems, between processes, between
countries)
Engage senior management in data privacy (e.g.
at the Board of Directors, Executive Committee)
Maintain defined roles and responsibilities for
third parties (e.g. partners, vendors, processors,
customers)
Integrate data privacy into records retention
practices
Engage stakeholders throughout the
organization on data privacy matters (e.g.,
information security, marketing, etc.)
Integrate data privacy into the System
Development Life Cycle
Conduct due diligence around the data privacy
and security posture of potential
vendors/processors
Report to internal stakeholders on the status of
privacy management (e.g. board of directors,
management)
Maintain procedures to respond to requests to
opt-out of, restrict or object to processing
Conduct impact assessments for new programs,
systems, processes
Maintain procedures to respond to requests for
access to personal data
Integrate Privacy by Design into system and
product development
18
An example:
Building on
existing
DPIA/PIA
processes
19
An example:
Building on
existing
DPIA/PIA
processes
The Ever Evolving
Landscape:
Navigating
Uncertainty with
Confidence
● Copycat legislation: all 50 states
● Technological development: AI, Internet
Platforms
● Economic pressures: EU
● Consumer protection: Womenʼs
healthcare, Data brokers
Q&A
Thank You!
See http://www.trustarc.com/insightseries for the
2023 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
privacy and data security compliance, please reach out to
sales@trustarc.com for a free demo.
1 de 22

Recomendados

Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -... por
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Burton Lee
806 vistas29 diapositivas
Data privacy and security in uae por
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uaeRishalHalid1
204 vistas5 diapositivas
Data Privacy and Security in UAE.pdf por
Data Privacy and Security in UAE.pdfData Privacy and Security in UAE.pdf
Data Privacy and Security in UAE.pdfRishalHalid1
67 vistas6 diapositivas
Human resources: protecting confidentiality por
Human resources: protecting confidentiality Human resources: protecting confidentiality
Human resources: protecting confidentiality KelbySchwender
464 vistas18 diapositivas
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions por
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
476 vistas34 diapositivas
5 Signs Your Privacy Management Program is Not Working for You por
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
310 vistas38 diapositivas

Más contenido relacionado

Similar a Nymity Framework: Privacy & Data Protection Update in 7 States

How to Build and Implement your Company's Information Security Program por
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramFinancial Poise
80 vistas51 diapositivas
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf por
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
3 vistas8 diapositivas
Data Privacy Program – a customized solution for the new EU General Regulatio... por
Data Privacy Program – a customized solution for the new EU General Regulatio...Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...IAB Bulgaria
660 vistas17 diapositivas
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk por
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
571 vistas37 diapositivas
GDPR master class accountable research organisations (january 2018) por
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
1.1K vistas70 diapositivas
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success por
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
2.7K vistas26 diapositivas

Similar a Nymity Framework: Privacy & Data Protection Update in 7 States(20)

How to Build and Implement your Company's Information Security Program por Financial Poise
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise80 vistas
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf por CIOWomenMagazine
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
CIOWomenMagazine3 vistas
Data Privacy Program – a customized solution for the new EU General Regulatio... por IAB Bulgaria
Data Privacy Program – a customized solution for the new EU General Regulatio...Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...
IAB Bulgaria660 vistas
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk por TrustArc
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
TrustArc571 vistas
GDPR master class accountable research organisations (january 2018) por MRS
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
MRS1.1K vistas
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success por Sirius
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius2.7K vistas
How to Manage Vendors and Third Parties to Minimize Privacy Risk por TrustArc
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc615 vistas
Gdpr overview ciso platform presentation por Priyanka Aash
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash998 vistas
Keep Calm and Comply: 3 Keys to GDPR Success por Sirius
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius8.4K vistas
Privacy Frameworks: The Foundation for Every Privacy Program por TrustArc
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc746 vistas
Prep your app for gdpr compliance por Asanka Nissanka
Prep your app for gdpr compliancePrep your app for gdpr compliance
Prep your app for gdpr compliance
Asanka Nissanka204 vistas
PrivacyOps Framework por Feroot
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps Framework
Feroot88 vistas
Privacy Operations (PrivacyOps) Framework - Feroot Privacy por Ivan Tsarynny
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Ivan Tsarynny151 vistas
What's Next - General Data Protection Regulation (GDPR) Changes por Ogilvy Consulting
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting2.1K vistas
The Summary Guide to Compliance with the Kenya Data Protection Law por Owako Rodah
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
Owako Rodah797 vistas
UX & GDPR - Building Customer Trust with your Digital Experiences por Stephen Denning
UX & GDPR - Building Customer Trust with your Digital ExperiencesUX & GDPR - Building Customer Trust with your Digital Experiences
UX & GDPR - Building Customer Trust with your Digital Experiences
Stephen Denning291 vistas

Más de TrustArc

TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... por
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
176 vistas29 diapositivas
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security por
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
108 vistas22 diapositivas
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass... por
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
267 vistas33 diapositivas
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec... por
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...TrustArc
101 vistas21 diapositivas
CBPR - Navigating Cross-Border Data Privacy Compliance por
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceTrustArc
313 vistas11 diapositivas
Everything You Need to Know about DPF But Are Afraid to Ask.pdf por
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfTrustArc
1K vistas12 diapositivas

Más de TrustArc(20)

TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... por TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc176 vistas
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security por TrustArc
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc108 vistas
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass... por TrustArc
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
TrustArc267 vistas
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec... por TrustArc
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
TrustArc101 vistas
CBPR - Navigating Cross-Border Data Privacy Compliance por TrustArc
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
TrustArc313 vistas
Everything You Need to Know about DPF But Are Afraid to Ask.pdf por TrustArc
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
TrustArc1K vistas
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C... por TrustArc
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
TrustArc272 vistas
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations por TrustArc
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
TrustArc177 vistas
Building Trust and Competitive Advantage: The Value of Privacy Certifications por TrustArc
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
TrustArc219 vistas
The California Age Appropriate Design Code Act Navigating the New Requirement... por TrustArc
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
TrustArc51 vistas
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf por TrustArc
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
TrustArc152 vistas
Artificial Intelligence Bill of Rights: Impacts on AI Governance por TrustArc
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
TrustArc388 vistas
How To Do Data Transfers Between EU-US in 2023 por TrustArc
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
TrustArc301 vistas
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust por TrustArc
The Ultimate Balancing Act:  Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act:  Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
TrustArc107 vistas
The Cost of Privacy Teams: What Your Business Needs To Know por TrustArc
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
TrustArc306 vistas
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf por TrustArc
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc318 vistas
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy? por TrustArc
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc153 vistas
Data Privacy Perspectives: Get Answers to Your Privacy Questions por TrustArc
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsData Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy Questions
TrustArc133 vistas
TrustArc Webinar: DPIA Compliance por TrustArc
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
TrustArc177 vistas
TrustArc Webinar: 2023 Privacy Roadmap por TrustArc
TrustArc Webinar: 2023 Privacy RoadmapTrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy Roadmap
TrustArc146 vistas

Último

Business Analyst Series 2023 - Week 4 Session 7 por
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7DianaGray10
146 vistas31 diapositivas
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue por
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlueShapeBlue
152 vistas23 diapositivas
"Node.js Development in 2024: trends and tools", Nikita Galkin por
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin Fwdays
33 vistas38 diapositivas
The Power of Heat Decarbonisation Plans in the Built Environment por
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built EnvironmentIES VE
84 vistas20 diapositivas
"Package management in monorepos", Zoltan Kochan por
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan KochanFwdays
34 vistas18 diapositivas
Optimizing Communication to Optimize Human Behavior - LCBM por
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBMYaman Kumar
38 vistas49 diapositivas

Último(20)

Business Analyst Series 2023 - Week 4 Session 7 por DianaGray10
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10146 vistas
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue por ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue152 vistas
"Node.js Development in 2024: trends and tools", Nikita Galkin por Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays33 vistas
The Power of Heat Decarbonisation Plans in the Built Environment por IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE84 vistas
"Package management in monorepos", Zoltan Kochan por Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays34 vistas
Optimizing Communication to Optimize Human Behavior - LCBM por Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar38 vistas
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue por ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue207 vistas
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue por ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue139 vistas
Ransomware is Knocking your Door_Final.pdf por Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp98 vistas
LLMs in Production: Tooling, Process, and Team Structure por Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage57 vistas
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue por ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue137 vistas
Future of AR - Facebook Presentation por Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty65 vistas
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue por ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue265 vistas
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... por ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue171 vistas
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... por ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue178 vistas
"Surviving highload with Node.js", Andrii Shumada por Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 vistas
NTGapps NTG LowCode Platform por Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu437 vistas
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... por ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue141 vistas

Nymity Framework: Privacy & Data Protection Update in 7 States

  • 1. © 2023 TrustArc Inc. Proprietary and Confidential Information. Nymity Framework: Privacy & Data Protection Update in 7 States
  • 2. 2 Speakers Meaghan McCluskey Associate General Counsel, Research, TrustArc Daniela Sanchez Privacy Research Lawyer TrustArc
  • 3. Agenda ○ State privacy landscapes and updates ○ Multi-state compliance challenges ○ Effective privacy risk management ○ Insights into coming changes and preparing for the evolving landscape ○ Q & A
  • 4. Poll Time! What is your organization's biggest challenge when it comes to multi-state data privacy compliance?
  • 8. 8 State-Specific Privacy Landscapes and Updates ● Texas is the only state that applies to individuals ● Scope: Apply to organizations ‘doing business’ in the state or ‘actively engaging in any transaction for financial or pecuniary gain or profit’ ● California - Explanation in other Californian Laws ○ Tax Code: actively engaging in any transaction for the purpose of financial pecuniary gain or profit ○ Company must register with the California Secretary of State as a non-California company ○ Subject ot court jurisdiction ● Other indicators: ○ Incorporation ○ Location ○ Employees’ or ○ Consumers ● CPPA explanation = plain language
  • 10. 10 State-Specific Privacy Landscapes and Updates Connecticut: Health information protection ● Prohibition - using a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility; ● Consent required to sell or offer to sell consumer health data; ● Prohibition to provide access to employees or contractor (exceptions apply) California, Colorado and Connecticut: Non-monetary considerations are recognized as sales. Other states require valuable or monetary considerations. Tennessee: ● Affirmative defense available for organizations facing enforcement under this act - organizations can argue that they maintain a privacy program that reasonably confirms to the NIST Privacy Framework. Florida: Apply mostly to big tech companies and include very specific requirements: ● Right to opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature; ● Prohibition of using voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature for surveillance purposes, unless expressly authorized. Oregon and Delaware: Third party lists ● Obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data.
  • 12. 12 Multi-State Compliance Challenges & Best Practices ● Compliance Challenges: ○ Information and individuals moving through the states make it difficult to identify when and to whom to recognize rights provided by state laws. ○ Global Privacy Control (GPC) ● Faced by Organizations Operating in Multiple States: ○ Cost and efficiency to determine which requirements apply in each jurisdiction where the organization operates; ○ Constant implementation of new measures to meet ongoing legal requirements; ○ Uncertainty created by the evolving landscape reduces innovation. ● Strategies and Best Practices to Ensure Regulatory Adherence: ○ Data Mapping: Data flows ○ Broad and Proactive approach to compliance
  • 13. 13 A Framework Approach to Privacy Management
  • 14. 14 Nymity Privacy Management and Accountability Framework ● Menu of more than 140 privacy management activities ● Created in 2014, released publicly in 2015 ● Updated in 2016 to reflect GDPR developments ● Updated in 2023 to reflect NIST Privacy Framework, AI, current reality: ○ Integrate privacy into the Data Ethics/Stewardship program ○ Integrate privacy into the System Development Life Cycle ○ Maintain policies/procedures for algorithmic accountability ○ Use interoperable frameworks to monitor and report on privacy risks
  • 15. 15
  • 16. What is your Resource Profile? ● Low Resources “part-time privacy”: ○ Single individual for whom the role of privacy officer is a secondary role (limited time) ○ Financial constraints ○ Lack buy-in ○ Perceived low risk ● Medium Resources: ○ Buy in from the operational and business units; ○ Full time privacy officer and/or culture of compliance; ○ Processing as a core activity; ○ Contractual obligations; ○ Major project as a driver. ● High Resources: ○ Buy in from board or executive level; ○ Funded privacy officer; ○ Resources and responsibility are allocated; ○ Follows recommendations from lawyers and consultants. Resources are the people, processes, technologies and tools that help you do your job
  • 17. 17 Resource-Driven Privacy Management Strategy Low - Policy First Medium - Governance First High - Inventory First Assign responsibility for data privacy to an individual (e.g. Privacy Officer, General Counsel, CPO, CISO, EU Representative) Assign responsibility for data privacy throughout the organization (e.g. Privacy Network) Maintain an inventory of personal data and/or processing activities Maintain a data privacy policy and Maintain a privacy notice Conduct regular communication between the privacy office, privacy network and others responsible/accountable for data privacy Classify personal data holdings by type (e.g. sensitive, confidential, public) Conduct privacy training Incorporate data privacy into operational training, such as HR, marketing, call centre Maintain documentation of data flows (e.g. between systems, between processes, between countries) Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee) Maintain defined roles and responsibilities for third parties (e.g. partners, vendors, processors, customers) Integrate data privacy into records retention practices Engage stakeholders throughout the organization on data privacy matters (e.g., information security, marketing, etc.) Integrate data privacy into the System Development Life Cycle Conduct due diligence around the data privacy and security posture of potential vendors/processors Report to internal stakeholders on the status of privacy management (e.g. board of directors, management) Maintain procedures to respond to requests to opt-out of, restrict or object to processing Conduct impact assessments for new programs, systems, processes Maintain procedures to respond to requests for access to personal data Integrate Privacy by Design into system and product development
  • 20. The Ever Evolving Landscape: Navigating Uncertainty with Confidence ● Copycat legislation: all 50 states ● Technological development: AI, Internet Platforms ● Economic pressures: EU ● Consumer protection: Womenʼs healthcare, Data brokers
  • 21. Q&A
  • 22. Thank You! See http://www.trustarc.com/insightseries for the 2023 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with privacy and data security compliance, please reach out to sales@trustarc.com for a free demo.