The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
On July 24, members of the Hogan Lovells global privacy team presented a webinar on the new California Consumer Privacy Act, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. In this post, we provide links to the recorded webinar and slide deck.
On June 28, 2018, California’s governor signed Assembly Bill 375, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. Particularly in light of California’s status as the world’s 5th largest economy, many are wondering how the new California Consumer Privacy Act will affect them. Please join members of the Hogan Lovells global privacy team for a live webinar on July 24 to learn what you should be focusing on now.
Join us this month as our Privacy and Cybersecurity team will discuss medical device cybersecurity preparedness and response, employee monitoring, IoT’s impact on health care, and key legal and compliance issues for insider threat programs.
It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.
Two weeks ago, certain territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2018 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including with Russia’s data localization requirement. The inspection plans contain a number of prominent multi-national and Russian companies.
Join us tomorrow, October 25 for the next installment of our 2017 Internet of Things webinar series and get practical guidance on privacy compliance challenges presented by the Internet of Things.
Growing evidence suggests that existing Telephone Consumer Protection Act compliance challenges, and the current TCPA litigation landscape, are increasingly a threat to many U.S. companies – particularly small businesses that have fewer resources and could face financial ruin if targeted by a class action lawsuit. To help address this issue and support the U.S. economy, Congress and the Federal Communications Commission should revise the current TCPA framework and facilitate reasonable, practical compliance approaches for companies attempting in good faith to communicate with customers.
Exactly one year before the EU General Data Protection Regulation becomes applicable, global law firm Hogan Lovells has launched GDPRnow, a mobile application that provides companies with assistance to identify practical steps to comply with the new framework. Conceived entirely in-house by the firm’s Privacy and Cybersecurity team, GDPRnow is the first app ever aimed at generating a GDPR compliance action plan specific to an individual business’s activities.
We are pleased to announce that Hogan Lovells Frankfurt-based Partner Tim Wybitul has published a handbook – EU-Datenschutz-Grundverordnung im Unternehmen: Praxisleitfaden – to assist organizations with compliance with the European General Data Protection Regulation. Written in German, the handbook includes plain-language summaries of GDPR requirements as well as project-planning and other checklists and examples to aid companies in complying with the Regulation. The handbook draws upon case studies to present lessons learned by several companies in their efforts to develop GDPR-compliant programs and is designed to be a useful resource for companies of all sizes.
Please join us for our November 2016 Privacy and Cybersecurity Events.
Part 10 of Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance. One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Anyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that […]
Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) released Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS), which includes several enhanced security requirements that will affect how businesses protect payment card data in their systems. The updated standard calls upon businesses to take a more active role in security compliance. It also addresses several common vulnerabilities in the cardholder data environment, including weak passwords, fallible authentication methods, unpatched malware protection, and inadequate threat monitoring practices. The end result is a standard that gives businesses a clearer, yet more stringent, set of baseline requirements for protecting cardholder data. Compliance with Version 3.0 is required as of January 1, 2015, although some of the new requirements will not go into effect until July 1, 2015. Until then, they are recommended as best practices.
In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates. Ten important changes are: Changes to the data breach rule will make more incidents reportable. Business associates are […]
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management”, provides a step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “Measures for the Privacy Risk Treatment“, provides practical guidance on […]
Hogan Lovells privacy leader Chris Wolf has authored an article in Inside Counsel magazine, a journal providing insights for law department leaders. The piece is entitled “The Risks of Neglecting Privacy” and explains how privacy concerns likely will result in a stricter legal and regulatory framework, meaning that companies should act now to bolster consumer protection. This blog entry contains excerpts from and a link to the full article.
A financial services industry group recently released guidance on managing the risks associated with using social media such as Facebook and Twitter. The guidance, titled “Social Media Risks and Mitigation,” was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The guidance includes tips on managing numerous concerns specific to financial institutions, which are increasingly using social media in their marketing and customer relationship activities.
The FTC just unveiled an extremely useful web site with compliance tools that include a robust selection of privacy-related materials.