""

 

IAPP White Papers

Image

Find all of the latest white papers produced and published by the IAPP, organized by the year in which they were published.

Featured White Papers

Negotiating privacy: Bipartisan agreement on US privacy rights

This white paper examines the progress made in Congress toward bipartisan agreement on privacy rights over the current legislative session, analyzing the 18 bipartisan federal privacy bills introduced in the 117th Congress.
Read More

2022 Global Legislative Predictions

The urgency to pass or update privacy laws around the world seems to heat up more each year, and 2022 is likely to be a hot one. This year’s issue of the IAPP’s Global Legislative Predictions is the largest to date since the IAPP began tracking predictions in 2017.
Read More

The Skill Set Needed to Implement a Risk Management Framework

To offer insight into the skill set technologists need to implement a privacy risk management framework, the IAPP mapped the Privacy Framework’s Core to the Body of Knowledge for a Certified Information Privacy Technologist.
Read More


""

Latest White Papers

White Paper – Assessing the Right to Personal Data Portability in Mexico

The right to personal data portability arises as a new complementary modality to the right of access to personal data that had its origin in the EU General Data Protection Regulation. Mexico, by enacting the personal data protection regulations in the public sector in January 2017, adopted this figure, creating an asymmetry among the personal data protection regulations held by private parties. Read More

White Paper – DPAs on the Ground

This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the questionnaire provide an illustrative snapshot into DPAs’ work “on the ground.” Read More

2019 IAPP White Papers

White Paper – The Skill Set Needed to Implement a Global Privacy Standard: ISO/IEC 27701 alignment with IAPP CIPM and CIPP/E certifications

In August 2019, the International Standards Organization released its first global privacy standard, ISO/IEC 22701. To offer insight into the professional skill set necessary to implement this new global privacy standard, the International Association of Privacy Professionals’ Westin Research Center mapped ISO/IEC 27701 to the bodies of knowledge for a Certified Information Privacy Professional/Europe and a Certified Information Privacy Manager. Read More

White Paper – 5 Steps You Must Take to Prepare for the CCPA

To help businesses operationalize CCPA’s requirements, we present here five concrete action items privacy professionals can tackle, as well as the considerations that underpin each step. We discuss how to determine whether and how CCPA applies to your business, necessary updates to vendor contracts and privacy notices, areas of focus to enable consumer requests, and organizational training needs. In each regard, we outline core requirements and point to additional resources for a deeper dive. Read More

White Paper – Consensus and Controversy in the Debate Over US Federal Data Privacy Legislation

(JUpdated: October 2019) – Over the past year, numerous lawmakers and organizations have offered proposals or recommendations regarding a new U.S. federal data privacy law. To shine more light on the specific provisions that are being debated, we look here at a set of bills that have been introduced in Congress in the past year, from the Consumer Data Protection Act introduced by Senator Ron Wyden, D-Ore., to the Algorithmic Accountability Act of 2019 and the Do Not Track Act, among many others. Read More

Implementing the CCPA: A Guide for Global Business, Second Edition

(September 2019) – This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed. The point is to help companies that do not wish to be the target of class-action activity after the CCPA’s January 1, 2020, effective date to avoid becoming “low-hanging fruit." Read More

White Paper – GDPR at One Year: What We Heard from Leading European Regulators

(May 2019) – For this new IAPP white paper, IAPP Senior Privacy Fellow Caitlin Fennessy, CIPP/US, reviewed European Data Protection Board and DPA reports and sought input from regulators in Austria, France, Ireland and the United Kingdom on five key issues, including the number and nature of complaints, investigations and data protection officer notifications over the first year of the GDPR, and the technical challenges and guidance needed in the year ahead. Read More

White Paper – Timelines and budgets for GDPR compliance: A meta-analysis

(February 2019) – This white paper aggregates the results of 12 different surveys conducted between September 2016 and July 2018 on organizational GDPR-compliance efforts before and after the May 25, 2018, implementation deadline to gain the deepest insight possible into compliance efforts and costs at the organizational level on a global scale. This report presents the findings from that meta-analysis. Read More

2018 IAPP White Papers

White Paper – Talking Tech for Privacy Pros: Databases 101

(November 2018) – Part of the IAPP's Talking Tech for Privacy Pros" white paper series. As this first part in a series of white papers on technology for privacy pros, we’re going to look at the very basics of the art of database design, with an eye towards helping the busy privacy professional understand at a glance what data an organization is storing and how, and provide some suggestions for ensuring the data is stored consistently and accurately. Read More

White Paper – Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes

(July 2018) – Implementing a “positive-sum” approach, one of the seven principles of privacy by design, in which stakeholders share a single set of objectives driving the design, development and implementation of business initiatives or technologies, provides a strategic boost toward attaining effectiveness and sustainability. In this white paper get insight on the benefits of a positive-sum approach and operationalizing it in your organization. Read More

White Paper – IAPP-OneTrust Research: Bridging ISO 27001 to GDPR

(March 2018) – The IAPP and OneTrust have undertaken the task of mapping the most common security operations standard, ISO’s 27001, to the world’s most influential piece of privacy legislation, the GDPR, so as to create a framework for understanding just how closely they align and how much of the work toward GDPR compliance that security has likely already done. With this research project, we have identified six main areas of common ground that should help every organization align their security and privacy operations in a way that will create efficiencies and, hopefully, reduce the risk of a damaging incident while increasing productivity and customer trust. Read More

White Paper – 6 Ways Privacy Awareness Training Will Transform Your Staff

(February 2018) – As an organization, you have obligations to your customers and other stakeholders to protect their personal information. Some obligations are regulatory, some by statute, some by contract, and some simply due to public expectations. This white paper outlines six ways that establishing a privacy awareness training program will help your team to think about privacy and meet these obligations. Read More

White Paper – Five Lessons I Learned Transitioning from Security to Privacy

With the ever-evolving privacy requirements changing the global landscape, many information security professionals are being tasked with adding to or leading information privacy programs. It may seem like a natural progression, but there are five lessons I had to learn when I made my transition from working in the security and audit (with a focus on security) fields to information privacy. In this white paper, learn tips to help make the transition from security to privacy, and get insight on some of the disconnects between the two fields. Read More

White Paper – Getting Started with Privacy in Canada

(January 2018) – Many employees, especially at medium-sized firms, get approached by their superiors asking them to wear “different hats.” Lately, a lot of people have been trying privacy hats on for size. Although this may not necessarily be a problem for those of us wishing to acquire new skills, it could pose challenges for others. Particularly for individuals with limited privacy knowledge, they may not know where and/or how to start figuring out what privacy is and how it impacts their organization. In this white paper, get an overview of the questions you should ask, the regulations you should know about and some ways forward when addressing organizational privacy needs in Canada. Read More

White Paper – Must-Have Privacy Training Features for Your Team

(January 2018) – A privacy program cannot be successful without training. There is a Chinese saying: “Those who want to get the job done must first sharpen their tools.” An effective privacy training not only enables an organization’s privacy initiatives, but also enhances an organization’s overall operation in the areas of Privacy by Design and data protection-centric security practices. In this white paper, learn about the essential elements of an organizational privacy training program. Read More

White Paper – Privacy and Data Security is for Everyone

(January 2018) – "Privacy and data security is for everyone" is a commonly accepted statement, is largely true, and is completely misleading. There is virtually no company in the U.S. that does not have specific legal obligations and risks related to the privacy and security of personal data. The details may change, depending on the industry and a company’s practices. But for most companies, there is a core set of common obligations in an exceedingly complicated area, where the compliance challenges and legal risks are only growing. In this white paper, get an overview of the privacy law environment in the U.S., and learn about some broadly reaching laws that likely affect your organization. Read More

White Paper – They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)

Employees are required to remember seemingly countless privacy regulations and policies, which requires privacy programs to monitor and reinforce positive behaviors all the time. Still, when a privacy incident is reported the privacy office, it’s easy to become dismayed at how the mistake could have possibly occurred. Many incidents occur even as employees believe they are doing the right thing, but are instead burdening the company with unnecessary risk. In this white paper, learn about the top mistakes employees make, absent proper awareness and training. Read More

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: Lawfu... Read More

2017 IAPP White Papers

White Paper – The UX Guide to Getting Consent

(December 2017) – The GDPR requires organizations to give notice to data subjects about how their data is being collected, used, shared and destroyed, but offers nothing in the way of how to do that. Create with Context and the IAPP built this handy guide to getting consent under the GDPR, combining a look into how users interact with the digital interfaces and an analysis of the text. Read More

White Paper – IAPP Privacy Law Specialist Designation

(February 2018) – At a meeting in Vancouver in February 2018, the American Bar Association's House of Delegates voted to approve a resolution on the IAPP's Privacy Law Specialist accreditation. Under U.S. law, attorneys have the right to advertise that they specialize in a particular field of law if they are certified as such by a “bona fide” organization. At the meeting of the Standing Committee on Specialization, Chair Barb Howard moved for support of the IAPP’s program and gave strong remarks in favor of it. Three delegates spoke against the resolution, each of them asserting that the definition of “privacy law” was too broad and would be confusing to members of the public. But in the end, the resolution passed. Read More

White Paper – Applying VPPA to Online Video Privacy

(May 2017) – In this white paper, Jeff Lambe, CIPP/US, offers an overview of the U.S. Video Privacy Protection Act, originally passed in 1988 and amended in 2012, including how its been applied to online content. The paper highlights relevant court decisions, showing the shifting interpretations of the VPPA with the rise of new technologies. The paper also discusses the uncertain future of video privacy under U.S. law. Read More

White Paper – IAPP Guide to FTC Privacy Enforcement

(May 2017) – This guide from the IAPP Westin Research Center describes the various paths the Federal Trade Commission may pursue when it brings privacy cases under its primary consumer protection authority, Section 5(a) of the FTC Act. The guide also discusses the various avenues that the FTC may pursue in seeking these remedies (e.g. administrative adjudication and filing suit directly in federal district court), and how these respective avenues lead to different available outcomes (e.g. fines, injunctive relief). Read More

White Paper – Assessing Mobile App Data Privacy Risk

(April 2017) – We hear about “mitigating privacy risk” on a regular basis. The GDPR calls for a risk-based approach to privacy operations. Certain “high-risk” endeavors even trigger data protection impact assessments and calls to the local data protection authority’s office? Rarely, however, do we see risk-scoring in action. Until now. The IAPP and Kryptowire have teamed to survey 400 privacy professionals regarding how they score the risk of collecting dozens of types of personal data and performing actions in the mobile environment. We used this data to create this detailed report on mobile-risk scoring, which has been used to fuel the risk dashboard in Kryptowire’s Mobile App Privacy Analysis Portal, available to any IAPP member for analysis of one iOS app and one Android app. Read More

2016 IAPP White Papers

2015 IAPP White Papers

White Paper – Top 45 Security and Privacy Blind Spots

(May 2015) – IAPP CTO Jeff Northrop, CIPP, CIPT, offers 45 lessons learned from common mistakes occurring in blind spots created by a changing environment for IT professionals including data accuracy and appropriate use concerns. Each blind spot is accompanied by an example adding context and aiding the communication of the importance of this risk to organization executives. Read More

2014 IAPP White Papers

White Paper — Managing Your Data Breach

While there are a number of data breach guides out there, we have chosen to focus on the many relationships and stakeholders involved in breach preparedness and response. Responding to a breach correctly involves a suite of people both inside and outside your organization. Understanding the best way to most efficiently utilize those people goes a long way toward ensuring that your response manages costs, manages business impact and puts the breach behind your organization as quickly as possible. Read More

White Paper – Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

(October 2014) – This study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training. Read More

2013 & Earlier

White Paper – A Call for Agility: The Next-Generation Privacy Professional

(March 2010) – In conjunction with our tenth anniversary, the IAPP has published a seminal white paper on the past, present and future of the privacy profession. “A Call for Agility: The Next-Generation Privacy Professional,” examines key developments in the privacy arena over the last 10 years. It offers a compelling perspective of what roles, issues and challenges will face us in the coming years. Read More