Tag Archives for " guidance "

NIST releases latest version of its Cybersecurity Framework

On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.

The Cybersecurity Framework aims to focus on industries vital to national and economic security, including energy, banking, communications, and defense, and provides a universal structure that can be tailored to varied methods of cybersecurity by compiling effective standards, guidelines, and practices into one framework.

Source: NIST releases latest version of its Cybersecurity Framework

A little help with DPO contracts

With the EU General Data Protection Regulation nearly upon us, we at the IAPP have been getting an onslaught of calls and emails from members asking for compliance help.

As the manager of our online Resource Center, I am on the receiving end of the bulk of those questions. Of late, one of the more frequent requests is for a sample data protection officer contract for organizations that need a DPO under the GDPR and plan to outsource the job.

Source: A little help with DPO contracts

Data Mining and GDPR Compliance

Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).”

This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.

Source: Data Mining and GDPR Compliance: Dealing with Obtaining EU Personal Information from Third Parties Under the GDPR (Including a Notification Checklist!) – Lex Indicium

Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems

This is the initial public draft of NIST’s newest guideline that provides a flexible systems engineering-based framework to help organizations address the Advanced Persistent Threat (APT).

Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, is the first in a series of specialty publications developed to support NIST Special Publication 800-160 Volume 1, the flagship Systems Security Engineering guideline.

Source: SP 800-160 Vol. 2 (DRAFT), Systems Security Engineering: Cyber Resiliency | CSRC

Leveraging GDPR to Become a Trusted Data Steward

The EU’s General Data Protection Regulation (GDPR) establishes new standards for handling customer data, increasing both the challenge and the rewards of proactively earning consumers’ trust.

The Boston Consulting Group and the global law firm DLA Piper have collaborated to produce a new report, Leveraging GDPR to Become a Trusted Data Steward, that examines key features of the new regulation, considers the readiness of companies to meet its provisions, and (perhaps most significantly) inquires into a mismatch between what many companies imagine to be the sources of consumer mistrust over data use and consumers’ actual concerns.

Source: Leveraging General Data Protection Regulation (GDPR) to Become a Trusted Data Steward

New GDPR Guidelines from the Italian data protection authority

Italian companies can now rely on guidelines on how to comply with the European privacy regulation (GDPR) which unvail some interesting positions.

After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced.

Source: ITALY: New GDPR Guidelines from the Italian data protection authority

The Polish DPA’s draft list of triggers for mandatory DPIAs

In line with the Article 35(4) of the GDPR, the Polish Data Protection Authority prepared and published a draft list of the kind of processing operations subject to mandatory data protection impact assessment.

According to the authority statements, the list is based on more than twenty years of experience of the authority and reflects the requirements toward DPIAs highlighted by the Article 29 Working Party in Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01.

Source: The Polish DPA’s draft list of triggers for mandatory DPIAs

New guide regarding security of personal data from French DPA

The GDPR provides in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

But it is sometimes difficult, when one is not familiar with risk management methodologies, to implement this approach and to ensure that the minimum has been done. To help professionals in their compliance, the CNIL publishes a guide reminding the basic precautions to be implemented systematically.

Source: A new guide regarding security of personal data | CNIL

Data Security And Data Breaches: What’s A Lawyer To Do?

How can lawyers help their clients protect their data, and how can lawyers help in the event of a breach?

Data security is more important than ever, as reflected in how it’s a legal requirement across industries. But it’s a very challenging issue for lawyers.

Source: Data Security And Data Breaches: What’s A Lawyer To Do? | Above the Law

1 2 3 19
>