During summer 2020, 21 privacy leaders from industry, government and academia graciously shared their views on the impact of COVID-19 on privacy priorities, practices and programs. We captured their experiences, challenges and recommendations in this five-part series. Read More

The purpose of this white paper is not to argue for the validity or invalidity of any particular surveillance mechanism, but rather to provide a neutral, unclassified summary of the law and authorities in this area. Read More

To offer insight into the professional skillset needed to implement the NIST Privacy Framework, the International Association of Privacy Professionals’ Westin Research Center mapped the Privacy Framework’s Core to the Body of Knowledge for a Certified Information Privacy Manager. Read More

Privacy risks to individuals tend to be neglected due to the emphasis placed on privacy risks to organizations. Considering privacy risks to individuals, however, is critical to effective privacy risk management. Read More

The right to personal data portability arises as a new complementary modality to the right of access to personal data that had its origin in the EU General Data Protection Regulation. Mexico, by enacting the personal data protection regulations in the public sector in January 2017, adopted this figure, creating an asymmetry among the personal data protection regulations held by private parties. Read More

This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the questionnaire provide an illustrative snapshot into DPAs’ work “on the ground.” Read More

To offer insight into the professional skill set needed to implement the NIST Privacy Framework, the International Association of Privacy Professionals’ Westin Research Center mapped the Privacy Framework’s Core to the Body of Knowledge for a Certified Information Privacy Manager. Read More

This white paper compares the Consumer Online Privacy Rights Act and Consumer Data Privacy Act to better understand the places where clear-cut similarities, clear-cut differences and gray areas are found within these two bills. Read More

This white paper is designed to provide a little guidance to those who are struggling to identify different parties in the ecosystem and draft contractual provisions accordingly. It is also intended to become a chapter in the second edition of the IAPP’s “Data Processing Agreements” book in 2020. Read More

In August 2019, the International Standards Organization released its first global privacy standard, ISO/IEC 22701. To offer insight into the professional skill set necessary to implement this new global privacy standard, the International Association of Privacy Professionals’ Westin Research Center mapped ISO/IEC 27701 to the bodies of knowledge for a Certified Information Privacy Professional/Europe and a Certified Information Privacy Manager. Read More

In this fourth part in a series of white papers for technology pros, we’ll explore the organic chemistry of computer science, specifically data structures. Read More

To help businesses operationalize CCPA’s requirements, we present here five concrete action items privacy professionals can tackle, as well as the considerations that underpin each step. We discuss how to determine whether and how CCPA applies to your business, necessary updates to vendor contracts and privacy notices, areas of focus to enable consumer requests, and organizational training needs. In each regard, we outline core requirements and point to additional resources for a deeper dive. Read More

(October 2019) – In this third installment in a series of white papers, we’ll introduce some of the common terms used when describing cloud applications and discuss some basic principles of software architecture, the abstract organization of software that are integral to a functional and secure cloud solution. Read More

(JUpdated: October 2019) – Over the past year, numerous lawmakers and organizations have offered proposals or recommendations regarding a new U.S. federal data privacy law. To shine more light on the specific provisions that are being debated, we look here at a set of bills that have been introduced in Congress in the past year, from the Consumer Data Protection Act introduced by Senator Ron Wyden, D-Ore., to the Algorithmic Accountability Act of 2019 and the Do Not Track Act, among many others. Read More

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

(July 2019) – In this second part in a series of white papers for technology pros, we’ll look at some of the major facets of modern database design and management with a focus on the large internet-based database systems that define modern technology, including distributed databases, errors and backups. Read More

(June 2019) – This white paper, authored by Baker & McKenzie Partner Lothar Determann and IAPP Westin Fellow Mitchell Noordyke, CIPP/E, CIPP/US, CIPM, outlines how businesses must develop a perspective on the definition of account as they work to operationalize their CCPA compliance programs with respect to data access requests.  Read More

(May 2019) – For this new IAPP white paper, IAPP Senior Privacy Fellow Caitlin Fennessy, CIPP/US, reviewed European Data Protection Board and DPA reports and sought input from regulators in Austria, France, Ireland and the United Kingdom on five key issues, including the number and nature of complaints, investigations and data protection officer notifications over the first year of the GDPR, and the technical challenges and guidance needed in the year ahead. Read More

(April 2019) – With The California Consumer Privacy Act taking effect Jan. 1, 2020, and becoming enforceable July 1, 2020, the IAPP and OneTrust fielded an early 2019 survey to determine where U.S. privacy professionals stand on CCPA compliance Read More

(February 2019) – This white paper aggregates the results of 12 different surveys conducted between September 2016 and July 2018 on organizational GDPR-compliance efforts before and after the May 25, 2018, implementation deadline to gain the deepest insight possible into compliance efforts and costs at the organizational level on a global scale. This report presents the findings from that meta-analysis. Read More

(January 2019) – This e-book is intended to help privacy professionals make operational sense of the California Consumer Privacy Act of 2018 in its current form, understanding that the California legislature may tinker a bit before the law takes effect in January 2020. Read More

(November 2018) – Part of the IAPP's Talking Tech for Privacy Pros" white paper series. As this first part in a series of white papers on technology for privacy pros, we’re going to look at the very basics of the art of database design, with an eye towards helping the busy privacy professional understand at a glance what data an organization is storing and how, and provide some suggestions for ensuring the data is stored consistently and accurately. Read More

(October 2018) – This report provides an overview of how organizations can operationalize data ethics, drawing on the discussions at the UN GP/IAPP event as well as on additional research about data ethics and privacy best practices in a world of big data analytics. Read More

(July 2018) – Implementing a “positive-sum” approach, one of the seven principles of privacy by design, in which stakeholders share a single set of objectives driving the design, development and implementation of business initiatives or technologies, provides a strategic boost toward attaining effectiveness and sustainability. In this white paper get insight on the benefits of a positive-sum approach and operationalizing it in your organization. Read More

(May 2018) – In this white paper, InfraGard General Counsel Kelce Wilson, CIPP/E, CIPP/US, CIPM, presents several scenarios and corresponding vulnerabilities that could compromise encrypted data and result in a data breach. Read More

(April 2018) – This IAPP white paper is divided broadly into two sections: The first explores the legislative actions that the GDPR requires member states to take, while the second examines the optional powers and authority available to them to carve out exceptions for or to clarify the GDPR’s rules. Read More

(April 2018) – This IAPP white paper by Emily Cramer, CIPP/US, offers a comparative analysis of the U.S. and EU children's data protection frameworks for the education technology industry. Read More

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

(February 2018) – As an organization, you have obligations to your customers and other stakeholders to protect their personal information. Some obligations are regulatory, some by statute, some by contract, and some simply due to public expectations. This white paper outlines six ways that establishing a privacy awareness training program will help your team to think about privacy and meet these obligations. Read More

(January 2018) – This IAPP Westin Research Center report analyzes privacy regulators’ budget and staffing levels. Using data from the International Conference of Data Protection and Privacy Commissioners’ Census 2017, the analysis reveals that data protection authorities in North America have larger budgets and more staff than their counterparts around the world. Read More

In this white paper, learn about how drawing from this trustworthy local business model can help when developing privacy awareness within an organization. Read More

With the ever-evolving privacy requirements changing the global landscape, many information security professionals are being tasked with adding to or leading information privacy programs. It may seem like a natural progression, but there are five lessons I had to learn when I made my transition from working in the security and audit (with a focus on security) fields to information privacy. In this white paper, learn tips to help make the transition from security to privacy, and get insight on some of the disconnects between the two fields. Read More

(January 2018) – Many employees, especially at medium-sized firms, get approached by their superiors asking them to wear “different hats.” Lately, a lot of people have been trying privacy hats on for size. Although this may not necessarily be a problem for those of us wishing to acquire new skills, it could pose challenges for others. Particularly for individuals with limited privacy knowledge, they may not know where and/or how to start figuring out what privacy is and how it impacts their organization. In this white paper, get an overview of the questions you should ask, the regulations you should know about and some ways forward when addressing organizational privacy needs in Canada. Read More

(January 2018) – A privacy program cannot be successful without training. There is a Chinese saying: “Those who want to get the job done must first sharpen their tools.” An effective privacy training not only enables an organization’s privacy initiatives, but also enhances an organization’s overall operation in the areas of Privacy by Design and data protection-centric security practices. In this white paper, learn about the essential elements of an organizational privacy training program. Read More

(January 2018) – "Privacy and data security is for everyone" is a commonly accepted statement, is largely true, and is completely misleading. There is virtually no company in the U.S. that does not have specific legal obligations and risks related to the privacy and security of personal data. The details may change, depending on the industry and a company’s practices. But for most companies, there is a core set of common obligations in an exceedingly complicated area, where the compliance challenges and legal risks are only growing. In this white paper, get an overview of the privacy law environment in the U.S., and learn about some broadly reaching laws that likely affect your organization. Read More

Employees are required to remember seemingly countless privacy regulations and policies, which requires privacy programs to monitor and reinforce positive behaviors all the time. Still, when a privacy incident is reported the privacy office, it’s easy to become dismayed at how the mistake could have possibly occurred. Many incidents occur even as employees believe they are doing the right thing, but are instead burdening the company with unnecessary risk. In this white paper, learn about the top mistakes employees make, absent proper awareness and training. Read More

Published: March 2018 Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mappingBy Rita Heimes,... Read More

(December 2016) – In this 10-part series, IAPP Research Director Rita Heimes, CIPP/US, and Westin Research Fellows Gabriel Maldoff, CIPP/US, and Anna Myers, CIPP/US, explore the major issues with which organizations will have to grapple as they bring themselves into compliance with the world’s most impactful privacy law. Read More

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

(October 2017) – This IAPP white paper by Enterprivacy Consulting Group's Jason Cronk attempts to contrast two approaches to privacy by design, the PIA-based PbD approach and the proactive — or strategic — PbD approach. Read More

(September 2017) – In this white paper overview, IAPP Legal Extern Carissa Hanratty, CIPP/US, explores some of the jurisdictions in which personal liability exists, with an appendix linking to the various legal texts. Read More

(February 2018) – At a meeting in Vancouver in February 2018, the American Bar Association's House of Delegates voted to approve a resolution on the IAPP's Privacy Law Specialist accreditation. Under U.S. law, attorneys have the right to advertise that they specialize in a particular field of law if they are certified as such by a “bona fide” organization. At the meeting of the Standing Committee on Specialization, Chair Barb Howard moved for support of the IAPP’s program and gave strong remarks in favor of it. Three delegates spoke against the resolution, each of them asserting that the definition of “privacy law” was too broad and would be confusing to members of the public. But in the end, the resolution passed. Read More

(May 2017) – In this white paper, Jeff Lambe, CIPP/US, offers an overview of the U.S. Video Privacy Protection Act, originally passed in 1988 and amended in 2012, including how its been applied to online content. The paper highlights relevant court decisions, showing the shifting interpretations of the VPPA with the rise of new technologies. The paper also discusses the uncertain future of video privacy under U.S. law. Read More

(May 2017) – This guide from the IAPP Westin Research Center describes the various paths the Federal Trade Commission may pursue when it brings privacy cases under its primary consumer protection authority, Section 5(a) of the FTC Act. The guide also discusses the various avenues that the FTC may pursue in seeking these remedies (e.g. administrative adjudication and filing suit directly in federal district court), and how these respective avenues lead to different available outcomes (e.g. fines, injunctive relief). Each path that the Guide outlines includes links to illustrative cases in the IAPP’s FTC Casebook, which serve as examples of instances when the FTC utilized that particular avenue. Read More

(April 2017) – We hear about “mitigating privacy risk” on a regular basis. The GDPR calls for a risk-based approach to privacy operations. Certain “high-risk” endeavors even trigger data protection impact assessments and calls to the local data protection authority’s office? Rarely, however, do we see risk-scoring in action. Until now. The IAPP and Kryptowire have teamed to survey 400 privacy professionals regarding how they score the risk of collecting dozens of types of personal data and performing actions in the mobile environment. We used this data to create this detailed report on mobile-risk scoring, which has been used to fuel the risk dashboard in Kryptowire’s Mobile App Privacy Analysis Portal, available to any IAPP member for analysis of one iOS app and one Android app. Read More

(March 2017) – This IAPP report offers an estimate of the amount of training necessary to get the baseline knowledge needed to be a DPO, including a survey of available trainings. Read More

(November 2016) – The IAPP-TRUSTe 2016 study on privacy practices asked 244 privacy professionals about their organizations’ progress toward GDPR compliance, such as whether they have a data protection officer, as well as questions about data hygiene habits like privacy assessments and data inventory and mapping exercises. Read More

(November 2016) – In this white paper, IAPP Knowledge Manager Emily Leach, CIPP/US, offers some persuasive reasons a solid privacy program is worth paying for. Read More

(March 2016) – IAPP Westin Fellow Gabriel Maldoff, CIPP/US, examines the EU General Data Protection Regulation's risk-based approach to data protection in this white paper and offers guidance on where organizations will have to make decisions about risk and applying the GDPR to their operations. Read More

(May 2015) – IAPP CTO Jeff Northrop, CIPP, CIPT, offers 45 lessons learned from common mistakes occurring in blind spots created by a changing environment for IT professionals including data accuracy and appropriate use concerns. Each blind spot is accompanied by an example adding context and aiding the communication of the importance of this risk to organization executives. Read More

(April 2015) – This whitepaper from the IAPP outlines ways, as privacy becomes more of a business driver and is incorporated further into risk projections by corporate boards, IT professionals with privacy knowledge will prove themselves invaluable to smart and growing organizations. Read More

While there are a number of data breach guides out there, we have chosen to focus on the many relationships and stakeholders involved in breach preparedness and response. Responding to a breach correctly involves a suite of people both inside and outside your organization. Understanding the best way to most efficiently utilize those people goes a long way toward ensuring that your response manages costs, manages business impact and puts the breach behind your organization as quickly as possible. Read More

(October 2014) – This study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training. Read More

(January 2014) – Kinsella Media with the IAPP and Rust Consulting produced this whitepaper discussing the consequences of failing to make clear and accurate privacy disclosures in the framework of today’s legal and regulatory landscape. Researchers Michelle Ghiselli and Shannon Wheatman offer insights on crafting plain-language policies. Read More

(January 2014) – In this practical whitepaper, Omer Tene and Marc Groman, CIPP/US, offer tips to help small businesses safeguard consumer data, build trust and “avoid boosting newspaper sales with sensationalist business titles.” Read More

(March 2010) – In conjunction with our tenth anniversary, the IAPP has published a seminal white paper on the past, present and future of the privacy profession. “A Call for Agility: The Next-Generation Privacy Professional,” examines key developments in the privacy arena over the last 10 years. It offers a compelling perspective of what roles, issues and challenges will face us in the coming years. Read More