IAPP White Papers


IAPP White Papers

This page hosts a collection of white papers published by the IAPP.

Featured White Papers


Health care privacy on the ground

This white paper tackles some of the most pressing challenges in-house health care privacy teams face and describe concrete solutions.
Read More


The Alignment Problem with “Sale of Data”

This white paper provides insights on how privacy professionals responded to the Sephora enforcement action, and how they are updating their practices to account for the expansion of “sale.”
Read More


Building the next generation of security and privacy professionals

This LinkedIn Live discusses how privacy careers have evolved, the importance of mentors in the field, tips for those starting out or looking to advance, privacy roles in government and what is on the horizon.
Read More


Self-sovereign identity as future privacy by design solution

This white paper explores how identity has evolved and if SSI solutions provide increased hope for greater privacy protections now and in the future.
Read More


The Rise of Prescriptive Technical Safeguards in FTC Settlements

This white paper reviews U.S. Federal Trade Commission settlements that have required increasingly specific remedies, and if organizations should begin implementing technologies promoted by the commission.
Read More


Technologists and Privacy Risk Management Frameworks

This white paper maps U.S. National Institute of Standards and Technology Privacy Framework’s Core to the Body of Knowledge for a Certified Information Privacy Technologist.
Read More

Latest White Papers

Assessing the Right to Personal Data Portability in Mexico

The right to personal data portability arises as a new complementary modality to the right of access to personal data that had its origin in the EU General Data Protection Regulation. Mexico, by enacting the personal data protection regulations in the public sector in January 2017, adopted this figure, creating an asymmetry among the personal data protection regulations held by private parties. Read More

White Paper – DPAs on the Ground

This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the questionnaire provide an illustrative snapshot into DPAs’ work “on the ground.” Read More

Privacy 2030: A New Vision for Europe

Prior to his untimely death earlier this year, former European Data Protection Supervisor Giovanni Buttarelli shared his vision with friend, colleague and ally, Christian D'Cunha, who documents his thinking in "Privacy 2030: A Vision for Europe." The document includes an extensive afterword from a selection of notable thought leaders in the space. Read More

The Skill Set Needed to Implement a Global Privacy Standard: ISO/IEC 27701 alignment with IAPP CIPM and CIPP/E certifications

In August 2019, the International Standards Organization released its first global privacy standard, ISO/IEC 22701. To offer insight into the professional skill set necessary to implement this new global privacy standard, the International Association of Privacy Professionals’ Westin Research Center mapped ISO/IEC 27701 to the bodies of knowledge for a Certified Information Privacy Professional/Europe and a Certified Information Privacy Manager. Read More

White Paper – 5 Steps You Must Take to Prepare for the CCPA

To help businesses operationalize CCPA’s requirements, we present here five concrete action items privacy professionals can tackle, as well as the considerations that underpin each step. We discuss how to determine whether and how CCPA applies to your business, necessary updates to vendor contracts and privacy notices, areas of focus to enable consumer requests, and organizational training needs. In each regard, we outline core requirements and point to additional resources for a deeper dive. Read More

Timelines and budgets for GDPR compliance: A meta-analysis

(February 2019) – This white paper aggregates the results of 12 different surveys conducted between September 2016 and July 2018 on organizational GDPR-compliance efforts before and after the May 25, 2018, implementation deadline to gain the deepest insight possible into compliance efforts and costs at the organizational level on a global scale. This report presents the findings from that meta-analysis. Read More

Consensus and Controversy in the Debate Over US Federal Data Privacy Legislation

(JUpdated: October 2019) – Over the past year, numerous lawmakers and organizations have offered proposals or recommendations regarding a new U.S. federal data privacy law. To shine more light on the specific provisions that are being debated, we look here at a set of bills that have been introduced in Congress in the past year, from the Consumer Data Protection Act introduced by Senator Ron Wyden, D-Ore., to the Algorithmic Accountability Act of 2019 and the Do Not Track Act, among many others. Read More

Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes

(July 2018) – Implementing a “positive-sum” approach, one of the seven principles of privacy by design, in which stakeholders share a single set of objectives driving the design, development and implementation of business initiatives or technologies, provides a strategic boost toward attaining effectiveness and sustainability. In this white paper get insight on the benefits of a positive-sum approach and operationalizing it in your organization. Read More

Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

Top 10 operational responses to the GDPR

Published: March 2018Click To View (PDF) In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: L... Read More

6 Ways Privacy Awareness Training Will Transform Your Staff

(February 2018) – As an organization, you have obligations to your customers and other stakeholders to protect their personal information. Some obligations are regulatory, some by statute, some by contract, and some simply due to public expectations. This white paper outlines six ways that establishing a privacy awareness training program will help your team to think about privacy and meet these obligations. Read More

IAPP Privacy 101 White Paper Series

The IAPP produces an extensive amount of white papers, reports and surveys covering all aspects of the privacy space. Below you can find the seven white papers that make up the IAPP’s Privacy 101 white paper series. They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them) 6 Ways Privacy Awareness Training Will Transform Your Staff Privacy and Data Security is for Everyone Five Lessons I Learned Transitioning from Security to Privacy Must-Have Privacy Training Feature... Read More

Five Lessons I Learned Transitioning from Security to Privacy

With the ever-evolving privacy requirements changing the global landscape, many information security professionals are being tasked with adding to or leading information privacy programs. It may seem like a natural progression, but there are five lessons I had to learn when I made my transition from working in the security and audit (with a focus on security) fields to information privacy. In this white paper, learn tips to help make the transition from security to privacy, and get insight on some of the disconnects between the two fields. Read More

Getting Started with Privacy in Canada

(January 2018) – Many employees, especially at medium-sized firms, get approached by their superiors asking them to wear “different hats.” Lately, a lot of people have been trying privacy hats on for size. Although this may not necessarily be a problem for those of us wishing to acquire new skills, it could pose challenges for others. Particularly for individuals with limited privacy knowledge, they may not know where and/or how to start figuring out what privacy is and how it impacts their organization. In this white paper, get an overview of the questions you should ask, the regulations you should know about and some ways forward when addressing organizational privacy needs in Canada. Read More

Privacy and Data Security is for Everyone

(January 2018) – "Privacy and data security is for everyone" is a commonly accepted statement, is largely true, and is completely misleading. There is virtually no company in the U.S. that does not have specific legal obligations and risks related to the privacy and security of personal data. The details may change, depending on the industry and a company’s practices. But for most companies, there is a core set of common obligations in an exceedingly complicated area, where the compliance challenges and legal risks are only growing. In this white paper, get an overview of the privacy law environment in the U.S., and learn about some broadly reaching laws that likely affect your organization. Read More

They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)

Employees are required to remember seemingly countless privacy regulations and policies, which requires privacy programs to monitor and reinforce positive behaviors all the time. Still, when a privacy incident is reported the privacy office, it’s easy to become dismayed at how the mistake could have possibly occurred. Many incidents occur even as employees believe they are doing the right thing, but are instead burdening the company with unnecessary risk. In this white paper, learn about the top mistakes employees make, absent proper awareness and training. Read More

The legal risks for the DPO

(September 2017) – In this white paper overview, IAPP Legal Extern Carissa Hanratty, CIPP/US, explores some of the jurisdictions in which personal liability exists, with an appendix linking to the various legal texts. Read More

Applying VPPA to Online Video Privacy

(May 2017) – In this white paper, Jeff Lambe, CIPP/US, offers an overview of the U.S. Video Privacy Protection Act, originally passed in 1988 and amended in 2012, including how its been applied to online content. The paper highlights relevant court decisions, showing the shifting interpretations of the VPPA with the rise of new technologies. The paper also discusses the uncertain future of video privacy under U.S. law. Read More

IAPP Guide to FTC Privacy Enforcement

(May 2017) – This guide from the IAPP Westin Research Center describes the various paths the Federal Trade Commission may pursue when it brings privacy cases under its primary consumer protection authority, Section 5(a) of the FTC Act. The guide also discusses the various avenues that the FTC may pursue in seeking these remedies (e.g. administrative adjudication and filing suit directly in federal district court), and how these respective avenues lead to different available outcomes (e.g. fines, injunctive relief). Read More

Preparing for the GDPR: DPOs, PIAs, and Data Mapping

(November 2016) – The IAPP-TRUSTe 2016 study on privacy practices asked 244 privacy professionals about their organizations’ progress toward GDPR compliance, such as whether they have a data protection officer, as well as questions about data hygiene habits like privacy assessments and data inventory and mapping exercises. Read More

Getting to the ROI of Privacy

Many privacy pros struggle to show their value to an organization. When advocating for more staff or budget, they are frequently asked to demonstrate what the return will be on that investment in privacy. This white paper offers some reasons a solid privacy program is worth paying for. Read More

Top 45 Security and Privacy Blind Spots

(May 2015) – IAPP CTO Jeff Northrop, CIPP, CIPT, offers 45 lessons learned from common mistakes occurring in blind spots created by a changing environment for IT professionals including data accuracy and appropriate use concerns. Each blind spot is accompanied by an example adding context and aiding the communication of the importance of this risk to organization executives. Read More

Managing Your Data Breach

While there are a number of data breach guides out there, we have chosen to focus on the many relationships and stakeholders involved in breach preparedness and response. Responding to a breach correctly involves a suite of people both inside and outside your organization. Understanding the best way to most efficiently utilize those people goes a long way toward ensuring that your response manages costs, manages business impact and puts the breach behind your organization as quickly as possible. Read More

What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

(October 2014) – This study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training. Read More

A Call for Agility: The Next-Generation Privacy Professional

(March 2010) – In conjunction with our tenth anniversary, the IAPP has published a seminal white paper on the past, present and future of the privacy profession. “A Call for Agility: The Next-Generation Privacy Professional,” examines key developments in the privacy arena over the last 10 years. It offers a compelling perspective of what roles, issues and challenges will face us in the coming years. Read More