Month: September 2019

Privacy Update 27th September 2019

In the news this week: Ecuadorian legislators have fast-tracked the country’s first data protection law following a data breach that affected almost the entire population. CJEU – Google does not have to make the “right to be forgotten” available worldwide. European Commission and U.S. Department of Justice officials begin formal negotiations on an EU-U.S. agreement to facilitate access to electronic evidence …

Privacy Update 27th September 2019 Read More »

Third Party Assurance gets new baseball bat

This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms. In the GDPR , Article 28.3.h states: That contract or other legal act shall stipulate, in particular, that the processor: makes available …

Third Party Assurance gets new baseball bat Read More »

Privacy Update 20th September 2019

In the news this week: 3rd annual Privacy Shield review completed – joint statement released, EC report to follow. Access Now requests it be struck down. US Big Tech’s Disingenuous Push for a Federal Privacy Law. Over 13.7M US medical test records found unsecured on servers. IAPP has produced a CCPA amendment tracker. Poland’s DPA has fined the shopping site morele.net around €650,000 …

Privacy Update 20th September 2019 Read More »

Privacy Update 13th September 2019

In this week’s news: The interaction of Data Protection and the UK Government – ICO to probe government over Gov.uk data collection plan. The ICO has urged businesses to “prepare for all scenarios” as it publishes dedicated guidance to help small and medium sized organisations prepare. Report finds 48% of UK businesses are fully compliant with GDPR.  I suspect it’s close to …

Privacy Update 13th September 2019 Read More »

Third Party Security Assurance Questions – Part 2

We left off last time out on Risk Treatment. The previous post is here. So following up using ISO 27001 as a base for our questions, the next section would be Performance Evaluation. Performance Evaluation In ISO 27001 speak, this is the monitoring of your security controls. You can understand a lot about the maturity …

Third Party Security Assurance Questions – Part 2 Read More »

Understanding ISO 27701 – Missing GDPR Controls Part 2

In my previous post, we left the GDPR review at Clause 74. This was quite a deliberate breakpoint, as Clause 75 and 76 take us straight into the meat of the DPIA (Data Protection Impact Assessment). Privacy Impact Assessment The ISO 27701 Standard refers to a Privacy Impact Assessment as a method to determine the …

Understanding ISO 27701 – Missing GDPR Controls Part 2 Read More »

How not to create a Maturity Model for Third Parties

The US Department of Defense recently released version 0.4 of its CyberSecurity Maturity Model Certification (CMMC). This is supposed to make third parties more accountable for their security controls to the DoD for the sensitive information they handle. If you cannot follow the link, it is because you are not in the US. They have …

How not to create a Maturity Model for Third Parties Read More »