BNA_21569 BLW ACC 2016 AHLA Survey and Guidance Report BAN 728x90_Ldbd

(Mar 28, 2017) South Africa's first data protection authority is in the process of setting up shop, but local legal professionals are skeptical about how well-resourced it will be. Its budget allocation in the current financial year is just 10 million rand (roughly $750,000), although that will rise to 25 million rand in the next financial year. "If you consider the role of this regulator and how important it is, 10 million rand is way under what it should be," says one critic. The country passed its data protection law in 2013, but it won’t be fully operational until the regulator is as well. David Meyer has the story. Read More

The Privacy Advisor

Two pros square off: Must the DPO be a lawyer?

(Mar 28, 2017) In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed. To Shaw, the DPO must be a lawyer. Specifically, a privacy- and technology-focused lawyer. Butler strongly disagrees. She says, “there are many examples of successful DPOs and CPOs who are not lawyers.” In this point-counterpoint, the two square off. Read More

The Privacy Advisor

How will Office for Civil Rights act under Trump's new pick?

(Mar 28, 2017) Last week, the Trump administration tapped Roger Severino to head the Office for Civil Rights. His appointment was met with significant criticism from civil rights groups, who are concerned about his ability, or willingness, to protect all Americans' civil rights. Indeed, the OCR director is charged with the task. But he's also in charge of enforcing the nation's laws on protecting health data's privacy and security. Given the various hats he'll wear and his background, some privacy pros aren't expecting Severino to focus much on privacy. Read More

The Privacy Advisor

Book Review: 'Privacy Law Fundamentals 2017'

(Mar 28, 2017) The newest edition of the Privacy Law Fundamentals by Dan Solove and Paul Schwartz, published in 2017, has a lot to offer and is indeed a great reference book for every privacy professional to have in their library, writes ShanShan Pa. The third edition builds on former versions in its layout and design as well as the latest developments in privacy law both in the U.S. and globally, and is a useful reference for both new privacy pros and veterans. Read More

The Privacy Advisor

How NIST security controls might help you get ready for the GDPR

(Mar 28, 2017) In order to get ready for the General Data Protection Regulation, companies need to thoroughly review their existing security measures and information-security frameworks. Because the GDPR is meant to be technologically neutral, it provides very little guidance on these topics. As such, it certainly seems wiser and more rational to use existing solutions provided by NIST publications than to wait until more EU guidelines would be available. “Later you could further build on what you already have, rather than start from the scratch,” writes Piotr Foitzik in this how-to. Read More

The Privacy Advisor

Brazilian firm making a name for itself in league of its own

(Mar 28, 2017) Thiago Louís Sombra is celebrating, and with reason. April 2 marks the one-year anniversary of his firm, Odon Sombra Advogados, in Brazil. It’s a considerable accomplishment in its own right; Brazil — and to a larger extent, Latin America — doesn’t have a uniform privacy law, nor does it have many law firms specializing in privacy. So, maybe on his home turf he’s sort of a professional anomaly. But he brushes past this distinction in discussing Odon Sombra Advogados and its work defending client... Read More

The Privacy Advisor

On making breach determination a team effort

(Mar 28, 2017) This is part three of a three-part series on incident response management. Find part one, on building an incident-response team, here. Find part two on how to tell if an incident is a breach here. Privacy and information-security often live in their own silos, an impractical separation that can place both an organization and its customers at risk from a data breach. This risk occurs when a security incident — say, a malware attack that exposes customer information — is remediated without underg... Read More

The Privacy Advisor

Outsourcing your organization's DPO duties? Consider this

(Mar 28, 2017) As Emma Butler and Thomas Shaw discussed in the story above, many companies will be required to spend money on either an internal DPO or a third-party entity, such as a law or IT firm, to act as their external DPO, per the provisions of the GDPR. According to one study by the IAPP, more than 28,000 new DPOs need to be hired in the EU and U.S. alone, and that number hits 75,000 when you apply the scope worldwide. With the shortage of individuals trained to handle DPO responsibilities, it is likely that many entities will look to hire an external third-party DPO. Before hiring an external DPO, writes David Chen, entities should consider the following issues. Read More

The Privacy Advisor

Updating your vendor agreements to comply with GDPR

(Mar 28, 2017) If you have been keeping up with the upcoming EU General Data Protection Regulation, you are likely already aware of the myriad steps that you must complete within your organization before May 2018 in order to comply. For example, you may need to appoint a data protection officer, depending on the types of processing your company conducts. But another important and potentially time-consuming step that you need to complete is the review of your agreements with third-party vendors that will have a... Read More

The Privacy Advisor

Encryption debate at IAPP KnowledgeNet sheds light on government perspectives

(Mar 28, 2017) At an IAPP KnowledgeNet co-hosted by the “Santa Clara High Tech Law Journal,” a heated discussion broke out during the event’s second panel over how far the government should reach into personal data when investigating crimes. "Ars Technica" Senior Business Editor Cyrus Farivar hosted the second panel. He framed the discussion around the unresolved legal questions catalyzed by the FBI versus Apple encryption debate, looking to examine how those questions had changed “under the lens of the Trump administration." Read More

Privacy Bar Section, The Privacy Advisor