The EU AI Act (the “AI Act”) is the world’s first comprehensive AI law. The Act lays down a harmonised legal framework for the development, supply, and use of AI products and services in the EU.  

To whom does the AI Act apply? 

The legal framework will apply to all AI systems impacting people in the EU, regardless of where systems are developed or deployed. 

When will the AI Act take effect? 

The AI Act is currently expected to enter into force in Q2-Q3 2024, with different obligations then taking effect in stages. 

Understanding the  AI Act’s Objectives 

The draft AI Act seeks to achieve a set of specific objectives:  

• Ensuring that AI systems placed on the EU market are safe and respect existing EU law; 
• Ensuring legal certainty to facilitate investment and innovation in AI; 
• Enhancing governance and effective enforcement of EU law on fundamental rights and safety requirements applicable to AI systems; and  
• Facilitating the development of a single market for lawful, safe, and trustworthy AI applications and preventing market fragmentation.  

AI Act: different rules for different risk levels 

The new rules establish obligations for providers and users depending on the level of risk from artificial intelligence. While many AI systems pose minimal risk, they need to be assessed. 

 
1. Unacceptable risk 

Unacceptable risk AI systems are systems considered a threat to people and will be banned.  

They include: 

• Cognitive behavioural manipulation of people or specific vulnerable groups: for example, voice-activated toys that encourage dangerous behaviour in children. 
• Social scoring: classifying people based on behaviour, socio-economic status, or personal characteristics. 
• Biometric identification and categorisation of people. 
• Real-time and remote biometric identification systems, such as facial recognition. 

Some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval. 

2. High risk 

AI systems that negatively affect safety or fundamental rights will be considered high risk and will be divided into two categories: 

1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts. 

2) AI systems falling into specific areas that will have to be registered in an EU database: 

• Management and operation of critical infrastructure 
• Education and vocational training 
• Employment, worker management and access to self-employment 
• Access to and enjoyment of essential private services and public services and benefits 
• Law enforcement 
• Migration, asylum and border control management 
• Assistance in legal interpretation and application of the law. 

 
All high-risk AI systems will be assessed before being put on the market and also throughout their lifecycle. 

3. General purpose and generative AI 
Generative AI, like ChatGPT, would have to comply with transparency requirements: 

• Disclosing that the content was generated by AI. 
• Designing the model to prevent it from generating illegal content. 
• Publishing summaries of copyrighted data used for training. 

High-impact general-purpose AI models that might pose systemic risk, such as the more advanced AI model GPT-4, would have to undergo thorough evaluations and any serious incidents would have to be reported to the European Commission. 

4. Limited risk 

Limited risk AI systems should comply with minimal transparency requirements that would allow users to make informed decisions. After interacting with the applications, the user can then decide whether they want to continue using it. Users should be made aware when they are interacting with AI. This includes AI systems that generate or manipulate image, audio or video content, for example deepfakes. 

Opportunities 

Ethical Leadership: Organisations that prioritise ethical AI practices and demonstrate a commitment to responsible innovation can enhance their reputation and build trust with consumers, employees, and regulators. By aligning with the principles of the AI Act, organisations can position themselves as leaders in ethical AI deployment. 

Innovation and Differentiation: The AI Act promotes regulatory sandboxes and real-world testing, providing opportunities for Organisations to innovate and develop AI solutions in a controlled environment. Companies that invest in compliance and develop AI systems that meet the  AI Act’s standards can differentiate themselves in the market and gain a competitive edge. 

Market Expansion: Compliance with the AI Act allows Organisations to access the European market with confidence, as they demonstrate adherence to regulatory requirements and respect for fundamental human rights. This opens opportunities for expansion and growth in a region that values ethical AI practices. 

Talent Acquisition: Companies that invest in talent acquisition and training to support AIA compliance with the AI Act can attract top-tier professionals with expertise in AI governance, ethics, and regulatory compliance. Building a skilled workforce capable of navigating the complexities of AI regulation is essential for long-term success. 

The AI Act represents a real opportunity for Organisations that are looking to leverage the power of AI. However, there are some threats that business leaders also need to consider. 

Threats: 

Compliance Costs: The AI Act imposes significant compliance costs on Organisations, including overhead expenses related to risk assessments, governance frameworks, and regulatory reporting. Companies that fail to allocate sufficient resources to the Act’s compliance may face financial strain and operational challenges. 

Fines and Penalties: Non-compliance with the AI Act can result in substantial fines ranging from €7.5 million to €35 million, or a percentage of global turnover. Organisations that neglect the AI Act’s requirements or underestimate the severity of regulatory violations risk facing severe financial penalties that could impact their bottom line and reputation. 

Operational Disruption: Implementing robust governance and oversight measures to ensure  compliance with the AI Act may require operational adjustments and process changes. Organisations that fail to adapt their operations to meet the AI Act’s standards may experience disruption and inefficiencies that hinder productivity and competitiveness. 

Reputational Damage: Violations of the AI Act’s ethical standards or failures to comply with regulatory requirements can lead to reputational damage and loss of consumer trust. Organisations that are perceived as prioritising profit over ethics or disregarding fundamental human rights may face backlash from stakeholders and damage to their brand reputation. 

Conclusion  

In conclusion, while the AI Act presents opportunities for Organisations to demonstrate ethical leadership, drive innovation, and access new markets, it also poses significant threats in terms of compliance costs, fines, operational disruption, and reputational damage. By proactively addressing these challenges and investing in compliance with the AI Act, Organisations can navigate the regulatory landscape successfully and leverage AI technologies responsibly for long-term growth and sustainability. 

For more comprehensive information on Calligo’s Data Ethics and Governance solutions, visit https://www.calligo.io

For more information on Calligo’s AI solutions, visit https://www.calligo.io

The post Navigating the EU’s proposed Artificial Intelligence Act: What Organisations Need to Know appeared first on Calligo.

In this lively debate you will hear from Calligo’s Practice Leads as they discuss their key takeaways from 2023 and their data predictions for 2024 and beyond.

Topics discussed include:

The post Data Transformation Predictions for 2024 – Calligo Data Leaders Roundtable appeared first on Calligo.

In an era dominated by technological advancements and interconnected digital landscapes, the need for robust cybersecurity measures has never been more critical. Cyber threats, attacks, and ransomware incidents continue to rise, targeting organizations of all sizes and industries. In this landscape, network penetration testing has emerged as a vital component of a comprehensive cybersecurity strategy. Calligo, a leading innovator in the field, has introduced the vPenTest Platform powered by Vonahi, providing a powerful solution to organizations seeking to fortify their defenses against cyber threats.

Understanding the Landscape

The digital landscape is evolving at an unprecedented pace, with innovations such as cloud computing, IoT devices, and interconnected networks becoming integral parts of business operations. However, with these advancements come new and sophisticated cyber threats that exploit vulnerabilities in these systems. Cybercriminals are becoming more adept at finding and exploiting weaknesses in networks, leaving organizations susceptible to data breaches, financial loss, and reputational damage.

The Rising Threat of Cybercrime

The threat of cybercrime is not confined to a specific industry or region. From multinational corporations to small businesses, everyone is a potential target. Cybercriminals employ various tactics, such as phishing, malware attacks, and ransomware, to infiltrate networks and compromise sensitive information. As the digital landscape becomes more complex, the surface area for potential threats expands, making it imperative for organizations to stay one step ahead of cyber adversaries.

The Role of Network Penetration Testing

Network penetration testing, also known as ethical hacking, plays a crucial role in identifying and mitigating vulnerabilities within an organization’s IT infrastructure. Unlike traditional security measures that focus on perimeter defenses, penetration testing simulates real-world cyberattacks to uncover weaknesses in a controlled environment. By doing so, organizations can proactively address and remediate vulnerabilities before malicious actors exploit them.

The Calligo vPenTest Platform: A Game-Changing Solution

Recognizing the escalating cyber threats faced by organizations globally, Calligo has introduced the vPenTest Platform, a cutting-edge penetration testing service powered by Vonahi. This automated solution is designed to address the challenges associated with traditional penetration testing and provides organizations with a comprehensive and efficient way to assess their security posture.

1. Expertise of Security Consultants

The vPenTest Platform amalgamates the expertise of seasoned security consultants into a deployable solution for organizations. These consultants bring years of experience and industry certifications, ensuring that the penetration testing is thorough, accurate, and aligned with the latest cybersecurity best practices. This level of expertise is critical in identifying and understanding complex vulnerabilities that automated tools alone may overlook.

2. Automated and Continually Evolving

Powered by Vonahi, the vPenTest Platform is not a static solution but a dynamic and continually evolving service. It leverages automation to perform comprehensive penetration tests, allowing organizations to assess their security posture regularly. In an environment where new threats emerge regularly, the ability to adapt and evolve is paramount. The vPenTest Platform ensures that organizations stay ahead of the curve by providing ongoing assessments and insights into emerging vulnerabilities.

3. Compliance and Security Best Practices

Meeting compliance requirements is a significant concern for organizations across various industries. The vPenTest Platform facilitates organizations in meeting these requirements by conducting penetration tests that align with regulatory standards. Additionally, it helps organizations adhere to security best practices, ensuring a proactive approach to cybersecurity rather than a reactive one.

4. Comprehensive Toolset

The vPenTest Platform comes equipped with a comprehensive toolset that empowers security consultants to conduct in-depth assessments. From vulnerability scanning to exploitation testing, the platform covers a wide range of testing scenarios. This versatility allows organizations to gain a holistic view of their security landscape, identifying and addressing vulnerabilities in various aspects of their infrastructure.

The Transformative Impact of vPenTest

In an ever-evolving threat landscape, the vPenTest Platform stands as a transformative solution for organizations seeking to fortify their cybersecurity defenses. By automating and streamlining the penetration testing process, Calligo enables organizations to efficiently identify and remediate vulnerabilities, reducing the risk of cyber threats and attacks.

As organizations navigate the complexities of the digital landscape, the importance of network penetration testing cannot be overstated. It is a proactive and strategic approach to cybersecurity, providing valuable insights into an organization’s security posture. Calligo’s vPenTest Platform, powered by Vonahi, emerges as a game-changing solution in this context, offering a potent combination of expertise, automation, and comprehensive tools. By embracing such innovative solutions, organizations can stay ahead of cyber threats, safeguard their digital assets, and build a resilient defense against the evolving challenges of the modern cyber landscape.

For more comprehensive insights into penetration testing, visit https://www.calligo.io

The post The Crucial Role of Network Penetration Testing in Today’s World appeared first on Calligo.

In this episode of the Beyond Data podcast series, Tessa Jones (Calligo’s Chief Data Scientist) and Peter Matson (ML Solution Architect) are joined by Martin Hoskin, Chief Technologist at VMware and Advisory Board Member for the Centre for Data Ethics & Innovation. In this enlightening discussion, we delve into the concept of data sovereignty and its implications for ethical data use, as well as explore how federated learning offers a promising solution to the challenges we face. 

Understanding Data Sovereignty

Data sovereignty encompasses the notion of data residency, access control, and governance. The dominance of American cloud providers, subject to U.S. laws, raises concerns about data privacy and security, particularly in the European context. For certain organizations, like government agencies and defense suppliers, data sovereignty becomes a critical factor. VMware has introduced a program to certify partners as Sovereign, ensuring data storage, processing, and governance are specified, differentiating them from major hyperscale cloud providers. 

The Challenge of Data Sharing

Data sovereignty also touches upon the ethical dilemma of sharing data for legitimate purposes like law enforcement investigations. Striking a balance between data privacy and the greater good is complex. For instance, the case of Apple’s cloud security raises questions about when governments should access personal data to combat serious crimes. 

Federated learning emerges as a promising solution to data sharing challenges. This approach enables entities to collaboratively train machine learning models without sharing raw data. Instead, local models are trained on separate datasets, and only aggregated model updates are shared with a central server. This preserves privacy and protects sensitive data, making it suitable for applications like fraud detection in the banking industry. 

Experimenting with Federated Learning

The Centre for Data Ethics & Innovation (CDI) conducted an experiment using federated learning for government-provided services. The CDI set up two data sets—one for detecting fraud in financial transactions using SWIFT data and another for studying the spread of COVID-19. The experiment highlighted the complexities of sharing data, including obtaining government buy-in and ensuring data anonymization to protect privacy. 

While federated learning is ingenious, it comes with its own set of challenges. Concerns arise about the aggregator potentially being reverse engineered to extract sensitive information. Additionally, the scale of data involved in real-world applications may make reverse engineering even more difficult. 

As data continues to play a critical role in various industries, addressing data sovereignty and privacy concerns remains paramount. Federated learning offers a way to enable collaboration without compromising data privacy. However, continuous innovation is necessary to tackle challenges like reverse engineering and fully realize the potential benefits of this approach. 

Ethical Considerations in AI and Data Technology

The conversation takes a broader turn, exploring the intersection of AI, data, and ethics. AI development should consider risks, probabilities, and potential biases to build robust and ethical systems. Ethical implications of sharing genetic data and the responsibility of pharmaceutical companies in handling such information are discussed. 

Regulating AI Ethics and the Divide between Academia and Industry

The need for clear regulations to define and enforce ethical standards in AI and data technology is acknowledged. Balancing philosophical academic perspectives with industry practicality becomes essential as AI progresses toward stronger AI with self-learning capabilities. 

Navigating Legal Frameworks and Data Sharing in Healthcare

Enforcing ethical standards and regulations on a global scale, especially with rogue states, poses challenges. Collaboration through global forums, like Gaia X, can facilitate trust, data security, and individual interpretations of frameworks. Standardized data-sharing frameworks and data portability regulations can address data sharing challenges in healthcare. 

Autonomous Weapons and the Role of Global Forums

The ethical challenges of deploying AI in autonomous weapons, especially in making life and death decisions, raise profound moral dilemmas. The hosts stress the importance of engaging in public discourse and involving the global community to shape AI and robotics’ future. 

The Impact of Social Media on Data Privacy

The podcast concludes with a discussion on the influence of social media on data privacy and the ethical considerations surrounding its use. Addressing the impact on young minds and the potential implications on decision-making, including voting rights for 16- and 17-year-olds, is highlighted. 

In conclusion, data sovereignty, AI ethics, and federated learning are crucial components of an evolving data landscape. Ethical considerations must be at the forefront of AI development and data sharing to ensure responsible and equitable data-driven futures. By embracing ethical practices and fostering interdisciplinary collaboration, we can harness the potential of AI while respecting individual rights and privacy. Establishing global forums and transparent public discussions will play a pivotal role in shaping the future of AI and robotics in a manner that benefits humanity as a whole. 

Listen on Spotify or watch below

The post Data Sovereignty Unveiled – Balancing Rights, Privacy, and Innovation appeared first on Calligo.

In Calligo’s latest Beyond Data podcast, Tessa Jones (Chief Data Scientist) is joined by Dr Ellie Graeden, Research Professor (Center for Global Health Science and Security) at Georgetown University. Here we explore some of the episode’s highlights:

• The inherent conflict of private data and the public good
• Protecting individual rights within federated learning
• The importance of effective communication and a common language
• Designing systems and policies that work together
• Focusing regulation on outcomes, not creating data siloes

At societal level, poor communication costs lives

Transitioning data across and between departments and data systems has historically been fraught with problems – who owns it? Who pays for it? Is it understandable and translatable into meaningful and actionable insights for the end user? 

Having worked extensively in disaster response, Dr Graeden has seen first-hand the potentially life-threatening issues that can arise when government departments’ data platforms produce incompatible outputs:

• If 20,000 people need water, how many pallets need to be shipped?
• If 10,000 electricity meters have been knocked out by a hurricane, how many people need feeding?

In such scenarios, identifying individuals amongst population-level data is crucial if the help provided is to be sufficient.

“We have to be able to really effectively move and communicate and share data that are relevant, in ways that they can get used by people all across the system”

Of course, any data system design should ensure privacy and protection for personal data. ‘Big data’ is still relatively new, and as such more powerful and widespread regulatory controls are now being introduced, although the US still does not have consistent requirements for how data should be handled. Fundamentally, meeting a population’s needs today, and planning for them tomorrow, requires the data of individual people to be analysed. Personal data must be shared quickly, effectively and all the while protecting individual rights. Data system design must therefore:

• Include all players
• Consider cultural constraints
• Keep out bias
• Ensure the right words and phrases are used
• Focus on the ‘so what’, why does it matter?

“Every single thing we experience can be captured as data”

Even the most mundane moments in our daily lives leave a digital footprint, we shed data everywhere. But when does ‘my’ data become public, or the property of the software developer or the service provider? VR headsets collect ephemeral data that is analysed and applied for that one end user, but if that data is assumed to fall under GDPR the potential to use it for positive outcomes is severely limited. For example, should authorities be notified if content viewed and generated is illegal or harmful? And what if that chip can detect if the user is having a stroke, is that data classified as ‘health’ data? Can it be used to alert the individual to their medical emergency without contravening legislation? What if your mouse clicks can detect the early stages of Parkinson’s? Should you, could you, be told?

“If you’re treating this data as health data, then they have a very different set of regulatory constraints. HIPAA isn’t going to regulate those because it’s not a health care provider or a health insurer”

Piercing the veil

The conflict between personal protection and public good is everywhere, and Dr Graeden believes that some new data laws will create problems for federated learning. Legislation has clear boundaries (speed limits, blood alcohol levels) whereas science deals in spectrums, probabilities and unknowns.

Deleting an individual’s personal data from the model breaks the system, contradicting what regulators are trying to achieve. The solution is to prioritize outcomes, not processes – it doesn’t matter whether you write the rules with a pen and paper, or with AI, as long as you write the rules. Expanding the framework by setting gradients of data availability affords protection for individuals, whilst making data available that informs better decision making for public bodies.

“Data is nothing more, nothing less, than an abstract description of our world. A useful and powerful language that can tell us things that other languages don’t”

Data can no longer exist in siloes if it’s to be useful to society

There is now a healthy global appetite for the discussion around data, thanks in the main to two recent developments:

• Covid gave us huge amounts of data about mortality levels, vaccination rates, hospitalisation trends – all of which were in the public consciousness every day
• AI and ChatGPT – articles and debates about the pros and cons are everywhere, discussion is not just in the scientific community

The key challenges now for data scientists are expectation management and communication – we need to be clear about aims and specific about context, as well as knowing what to leave out to avoid overwhelm and misunderstanding. Unfortunately, scientists are not always great communicators (using complex terminology and detail, rather than common parlance and generalization) as Covid demonstrated:

• Did having a vaccine mean you wouldn’t get sick? Or just less sick?
• ‘Everyone should wear a mask’ became ‘wear a mask if you can’. This was due to limited supply, but it appeared that the science was not clear

“The scientific approach means you never have an answer… we are trained as scientists to focus on the fact that we don’t know”

In fact, the only answer is that the right data, used consistently and communicated clearly, will always allow us to be prepared, not reactive. To make decisions for the public good that protect every individual.

You can find out more about the common language of privacy in our Rosetta Stone eBook.

You can also watch Tessa’s fascinating podcast with Dr Graeden below.

The post Making complex data available for the benefit of society appeared first on Calligo.

As the world becomes increasingly digital and cloud based, the importance of data protection and privacy has become paramount for all organizations. One key aspect of ensuring compliance with data protection laws and regulations is the appointment of a Data Protection Officer (DPO).

However, appointing a DPO internally can present several challenges, including conflicts of interest and a lack of specialized skills. That is where Data Protection Officer as a Service (DPOaaS) comes in.

Sidestep potential conflict of interest

One of the main reasons organizations appoint external DPOs is to sidestep the potential conflict of interest that arises when a DPO is appointed internally. Supervisory Authorities are becoming increasingly strict about this issue, and a conflict of interest can be seen as a punishable breach. For example, CIOs and CISOs are responsible for the collection, storage, and protection of data, which can prevent them from objectively scrutinizing their own processes.

Similarly, Heads of Legal and In-House Counsel are tasked with defending the organization’s interests, while a DPO is required to represent the data subject. Heads of Compliance, who are responsible for determining how data is processed, may also be unable to impartially assess its adherence to legal obligations.

By outsourcing your DPO to a specialized service provider, such as Calligo, you can sidestep these conflicts of interest and ensure your organization’s compliance and data safety. Outsourcing your DPO is also faster and more cost-effective than hiring one internally.

10x as many DPO vacancies as there are qualified individuals

There are currently 10x as many DPO vacancies as there are qualified individuals, making hiring processes long and expensive. Outsourcing your DPO allows for flexible resourcing, as the role is often not a full-time position. Additionally, outsourcing your DPO gives you access to a wider set of skills, including technical, legal, and information security expertise, all at a far lower cost than recruiting each of these individuals individually.

The Calligo Privacy Team is a specialized team of experienced and qualified professionals with deliberately diverse career backgrounds and deep subject matter knowledge. They are committed to ensuring adherence to global data protection laws without compromising the ambitions and goals of your clients. The team is highly qualified, holding certifications such as the IAPP, which are the world’s most trusted and respected certifications in data privacy. These cover privacy laws and regulations and the practical operations to apply and deploy them successfully.

The Calligo Privacy Team also brings diversity in terms of industry experience. By operating in varied domains, the team’s expertise is sector-transferable, keeping your knowledge as relevant as possible. In an increasingly complex landscape, the team is uniquely placed to support you in the nuances of different data protection and privacy regulations, across any sector and jurisdiction. The team has supported industries such as global manufacturing, global franchise fast food brands, financial, software as a service platform providers, energy, government, charities, and service providers.

In summary, Data protection and privacy is crucial for all organizations in the digital age. However, appointing an internal Data Protection Officer (DPO) can be challenging, due to potential conflicts of interest and lack of expertise. DPO as a Service (DPOaaS) provides a solution by outsourcing the role to a specialized service provider, avoiding conflicts of interest and providing access to a wider set of skills at a lower cost. The Calligo Privacy Team is a highly qualified team of experienced professionals with diverse backgrounds and certifications in data privacy, who are committed to ensuring global data protection compliance. The team has a proven track record of supporting various industries, keeping knowledge relevant and up-to-date.

Let the team help you fulfill your legal obligation to appoint a suitable Data Protection Officer, while also serving as an internal advisor, representative, and liaison for your organization.

Learn more about Calligo’s Data Protection Officer as a Service

The post The benefits of outsourced Data Protection Officer as a Service appeared first on Calligo.

The potential value of data – if used optimally – is unquestioned.

In recent years, there has been a clear acceleration in the number of organizations keen to not only better understand their data’s potential, but also govern it more rigorously, structure it more usefully and use it more creatively.

And so, they appoint a Chief Data Officer (CDO) to drive this change.

This person – the business hopes – will “take hold of the data problem”, pulling sources and siloes together to create clarity, drive automation, place data and insights into the hands of the front line, and improve business performance and customer satisfaction.

Discussing Client Ambition

When discussing these ambitions with our clients, the excitement and optimism is clear. But what is often missed, or at best over-simplified, is the need to execute safely.

Managing the security risk to the organization is a fundamental part of a CDO’s remit. Depending on the organizational structure, it is usually shared with or delegated to a dedicated CISO or equivalent.

Similarly, compliance with industry regulations and certifications such as ISO and SOC comes under the governance aspect of the CDO role (again, often shared with / delegated to the CISO)

But what about Data Privacy?

CDOs and data privacy

In the pursuit of these ambitious data goals, while the CDO and/or CISO handle security and compliance, who will manage the privacy-related risks to the organization? And the risk to the data subjects?

• What data is personally-identifiable, and therefore subject to data privacy laws?
• Where is this data received from and held?
• How retrievable is it?
• How is it used?
• Will personal data be exposed to machine learning or automated decision-making?
• When and how is personal data shared?
• Or disposed of?

In tackling these questions, some organisations believe the CDO can also perform the Data Protection Officer (DPO) role, or have one report into them or the CISO. Others appoint a Chief Privacy Officer, thinking they are the same as a DPO, or a “DPO+”. Others ignore the need for privacy oversight altogether.

None of these answers are wise. Some are even illegal and can result in penalties.

The truth is, most data-ambitious organizations require all three roles. Without them, data safety is jeopardised and the company is at risk of non-compliance, breaches, inefficiency and missed opportunity.

But how the remits are best defined and structured is often a mystery.

Below is a guide to the three pertinent roles – Chief Data Officer (CDO), Chief Privacy Officer (CPO) and Data Protection Officer (DPO) – outlining why each role is essential for every data-ambitious organization, plus their differences, inter-relationships, boundaries and overlaps.

CDOs and data privacy

In the pursuit of these ambitious data goals, while the CDO and/or CISO handle security and compliance, who will manage the privacy-related risks to the organization? And the risk to the data subjects?

• What data is personally-identifiable, and therefore subject to data privacy laws?
• Where is this data received from and held?
• How retrievable is it?
• How is it used?
• Will personal data be exposed to machine learning or automated decision-making?
• When and how is personal data shared?
• Or disposed of?

In tackling these questions, some organisations believe the CDO can also perform the Data Protection Officer (DPO) role, or have one report into them or the CISO. Others appoint a Chief Privacy Officer, thinking they are the same as a DPO, or a “DPO+”. Others ignore the need for privacy oversight altogether.

None of these answers are wise. Some are even illegal and can result in penalties.

The truth is, most data-ambitious organizations require all three roles. Without them, data safety is jeopardised and the company is at risk of non-compliance, breaches, inefficiency and missed opportunity.

But how the remits are best defined and structured is often a mystery.

Below is a guide to the three pertinent roles – Chief Data Officer (CDO), Chief Privacy Officer (CPO) and Data Protection Officer (DPO) – outlining why each role is essential for every data-ambitious organization, plus their differences, inter-relationships, boundaries and overlaps.

Who you need

The Chief Data Officer (CDO)

Responsible for using data to best effect. The basis of this is data governance – its stewardship, consolidation, structure, management and distribution, but also the security and compliance risk it presents. On top of this lies innovation and how it can be most profitably exploited, whether through automation, analysis or data science.

The Chief Privacy Officer (CPO)

This role sits within the overall CDO responsibility. This role adds the perspective of privacy compliance to the CDO function, specifically in terms of any action’s risk to the company. As such, they will lead on the construction of the privacy programme, its roll-out and training and any necessary assessments.

The Data Protection Officer (DPO)

Represents the data subject within the organization. They oversee activities from data processing, assessments and employee training to ensure that none of them conflict with data subjects’ privacy rights, and as such must maintain independence from activities and reporting lines. While perhaps not technically required within your organization (for instance if you are not a public body, do not systematically process personal data as a core activity, or are not processing ‘large volumes’ of sensitive data), it is nonetheless a firmly recommended role for any data-ambitious organization with any degree of use of personal data.

Can these roles be combined into single individuals?

The CDO and CPO can be the same person, and arguably should be to ensure that the entirety of data safety – security and privacy – are the foundations of all data use and governance, and reducing the risk of accidental non-compliance, or painful retrofitting of compliance requirements.

The DPO and CDO (and/or CPO) must never be the same person, as it would create a punishable conflict of interest. They should not even be in the same reporting structure. The DPO’s role is to independently monitor and question all activities, strategic policies and objectives, which means they need the platform to challenge every level of the organization.

The risk of getting this wrong

Risk of unethical / non-compliant data processing

Our data privacy experts have often seen overenthusiasm and ambition innocently leading to personal data being misused. Without anyone overseeing the privacy risk to the data subject (DPO) or even the business (CPO), and a focus only on security, then organizations can easily overstep.

Missed opportunity

DPOs and CPOs are often mistaken for naysayers, as they too often focus on limiting what can be done with data and curtailing the ambition of the CDO. In fact, the best DPOs and CPOs will support the CDO’s objectives, by suggesting innovative approaches to data use that balance ambition with risk.

Delays

If privacy is not a foundation on which data ambitions are built, then it will either be forgotten or retrofitted. The former creates risk of breaches, while the latter creates delays. Projects that lay privacy on top, rather than being designed with it in mind from the outset, risk needing costly redesign and rebuilding.

Conflict of interest

A DPO has to be independent of the day-to-day processes of data management, including its receipt, use, treatment and security. This rules out those job titles that are classically given this second role, such as CIOs and Heads of Compliance, and that regulators are now punishing.

The Chief Data Officer (CDO)

Remit unique to this position:

Data governance

Ranging from data’s structure and architecture to its management and ongoing quality assurance. Accurate and efficient data governance is the foundation stone of all data initiatives. Data siloes, untidy or incomplete data and inconsistent data structures are the principle barriers to data ambitions.

Security-related risk to company

Clearly overlapping with the above, the CDO is required to identify where the ambitions for data’s structure, storage and use will create security and regulatory compliance risk. Working with the CISO – who may be alongside or within the CDO’s team – these risks then need to be mitigated comprehensively, and without obstructing operations.

Innovation / Data Science & Insights

This is the principal reason for the appointment of a CDO: using data creatively to further the aims of the organization as a whole. Building on the groundwork of data governance and security, this may be through automation, analytics, visualizations, machine learning or other forms of AI. Projects may be intended for internal efficiency, or the development of new products and services, but one truth remains at every initiative’s core: using data more intelligently.

The Chief Privacy Officer (CPO)

Remit unique to this position:

Privacy-related risk to company

While the CDO handles the security-related risk, the CPO looks specifically at personally-identifiable data, how well protected it is and how ethically / compliantly it is used. This will include determining how all the organization’s activities affect the regulations whose scope they fall under, and ensuring the various obligations are all addressed.

Clearly, this responsibility overlaps with the CDO’s security-related remit, and requires the cooperation of the CISO, as a lot (though not all) of a privacy-focused risk assessment is based in typical security technical and organizational measures (TOMs). As such, the CPO role may well be part of the CDO’s, if the individual has the relevant privacy skills.

Devise & deploy the privacy programme

This is the tactical implementation of the above. It involves the creation of policies and processes that will protect personal data in every department, by every user and with every data interaction, and specifically on an ongoing basis.

Unlike many other areas of compliance, data privacy requires continuous management and oversight. A breach of ISO compliance requirements on a given day is unlikely to jeopardise completing the next audit’s requirements and maintaining certification. In contrast, a single breach of data privacy requirements could result in customer dissatisfaction, being reported to regulators and potentially fines and irreparable brand damage. As such, the deployment of the privacy programme must ensure continuous protection.

Data Protection Officer

Remit unique to this position:

Privacy-related risk to data subjects

This is the crux of the DPO role. A Data Protection Officer is one of few senior roles who categorically do not serve the interests of the organization, but of third parties – arguably the only one. It is this unusual perspective that requires them to be independent of the mechanics of the organization, and that underpins all other responsibilities.

Oversight

The DPO is responsible for continuously monitoring all data processing activities and independently assessing their adherence to the GDPR and any other relevant legislation. Any faults or risks found are then the responsibility of the CPO and/or CDO to remedy, working alongside any relevant departmental head.

Internal audit

Part of the Oversight role above will include regular internal audits of data processing activities. An initial GAP Analysis will show a baseline of compliance, while subsequent periodic audits will showcase the evolving privacy maturity of the organization, plus any persistent weaknesses.

Liaison with authorities and data subjects

DPOs also act as a conduit for all communications with supervisory authorities and data subjects. They may do this proactively, for example securing approval from authorities on the legitimacy of any new and unusual data processing initiatives. DPOs will also handle the communications with any data subjects in the case of Data Subject Requests.

The Shared Remits

Shared remit: CDO & DPO

Automated decision-making

This is a crucial overlap. For many data-ambitious organizations, especially those in consumer services such as banking, telecoms or utilities, there will be a drive to use automation or machine learning to systematize interactions with customers based on the data on them as individuals. These may include the pricing and terms offered to them, which would mean that automated decisions are being made that have a legal or similarly significant effect – which is specifically limited by the GDPR and many other privacy regulations that followed in its footsteps.

This is therefore a classic example of a situation where the CDO and the DPO would have to work together to ensure that the project is legitimately designed and executed, and is highly indicative of why the DPO cannot be the same person or even be in the same reporting structure as the CDO. The CDO’s project needs to be able to be objectively critiqued and perhaps stopped by an independent DPO.

Shared remit: CDO & CPO

Ethical Data Impact Assessments (EDIAs)

EDIAs are modern supplements to the pre-existing Data Protection Impact Assessment (DPIA), and are effectively documented evidence of the scrutiny required above in instances of Automated Decision-making.

While not specifically required by privacy legislation or guidance – as a DPIA is – the sort of rigour they encompass is. As mentioned above, references are found in the GDPR and many other pursuant regulations. The extra scrutiny is recommended because of the deliberate removal of human oversight from processes, and therefore the risk of the inadvertent removal of understanding, proportionality, fairness and even values.

For a DPIA, a DPO and a CPO (see below) will collaborate on mitigating the risks to data subjects – hence the DPO’s involvement.

An EDIA’s extra considerations beyond a DPIA focus on accountability, transparency, necessity and sustainability. These are more technical, strategic and concerned with personal rights including but also beyond privacy, such as the right to not be discriminated against.

The CDO’s input will therefore cover the technical and strategic sides, while the CPO is best placed to review the technology’s ethical use. In truth, this is not a perfect fit. But there are few alternatives. A DPO’s role is to monitor activity through a strict lens of protecting data subjects’ privacy rights – and arguably their independence means their role can never be to perform assessments, only to review. Legal counsel is concerned with the application of the codified law, not the wider topic of ethics. Compliance roles are similarly used to implement specific rules and standards.

Upholding ethics is different by its nature, and not typically a nominated role within organizations, but a CPO is arguably the closest fit, not least because they lead the completion of DPIAs, on which EDIAs are based.

Shared remit: CPO & DPO

Training employees

This is part of the CPO’s deployment of the overall privacy programme, but requires the involvement of the DPO because of their responsibility for monitoring internal compliance. Acting on behalf of data subjects, the DPO will check the suitability and comprehensiveness of the training programme, in essence confirming that should the training be satisfactorily completed (the CPO’s responsibility to ensure), then data subjects’ rights are protected

Data Protection Impact Assessments (DPIAs)

These tools identify any potential risks that may arise from processing personal data, allowing the organization to minimise and negate them in advance. They are a key requirement for demonstrating adherence to GDPR and most other privacy regulations, and should be completed for every way in which an organization processes data.

They are the CPO’s responsibility to perform, though as with the Training above, the DPO is required to provide an oversight role to ensure data subjects’ rights are protected. They will advise the CPO on whether a DPIA is necessary in any given situation, how it should be performed, what measures can be legitimately put in place to negate any risks identified, and whether the ultimate decision that process is permitted or not is correct.

This process and shared responsibility applies equally to other privacy adherence tools such as Legitimate Interest Assessments (LIAs), where the CPO is responsible for performing the duty, while the DPO ensures their completion and verifies their outcomes.

Data Subject Access Requests (DSARs)

Some of the most common instances of CPOs and DPOs having to collaborate are on DSARs. In some industries, these are rather common, especially those with high volumes of consumer interaction such as retail, utilities, telecoms and retail banking. A CPO will be responsible for the performance of the DSAR – for example, verifying the identity of the data subject and collecting relevant data – while the DPO will be responsible for overseeing the process, approving the data to be shared, ensuring deadlines are met and handling communications with the data subject.

The Universal Responsibilities

Data Quality

All three Data Officers have a responsibility – or at least a vested interest – in maintaining the continuous quality of all the organisation’s data.

• For a CDO, this is of course a principal strategic objective. Better use of data relies on data sources being cleansed for interrogation, and probably integrated under common data models to allow for deeper insights. But without continuous data governance – the process by which data quality is preserved – then interrogation becomes impossible, and integrations fall apart.
• Data quality requires common rules – defined and upheld ultimately by the CDO – for how data is collected and stored; agreed responsibilities for how it is maintained and kept complete, credible, useful and clean,; and a clear vision for how it may be used.
• The CPO and DPO will also have involvement in this, and vested interests in its performance. How and where the CDO decides to store data will need to adhere to data residency and sovereignty requirements. Data privacy regulations routinely give data subjects a Right to Accuracy, where every reasonable step must be taken to rectify data inaccuracies or erase data if no longer correct. And of course, without complete, clean and credible data, then DSARs cannot be accurately performed, and DPIAs and other typical processes cannot be conducted or verified easily.

DPIAs in fact even have a specific question of:

“Are you satisfied that the personal data processed is of good enough quality for the purposes proposed? If not, why not?”

Of course, the easiest way for Data Quality to serve all three Data Officers needs is to base the organization’s Data Quality framework on the principles of Privacy by Design & Default.

Contracts

While the above is a strategic imperative that requires all three Data Officers’ involvement, this is a tactical overlap.

• Contracts with new suppliers, partners, and potentially customers that inherently involve the processing of personal data create responsibilities for CDOs, DPOs and CPOs alike.
• A CDO needs to ensure that the contract and the mechanics of the engagement will not undermine or contradict any element of data governance. For example, if the new contract is with a new cloud services provider, can the provider support any ISO, SOC or PCI obligations? If the contract is with a new CRM, is the data structure consistent with any pre-existing common data model and how will data quality and accuracy be maintained? And in all cases, what security measures are in place to protect data from internal and external threats?
• Meanwhile, a CPO will be concerned with whether the contract is in line with the organization’s privacy obligations. To use the example of the new cloud provider again, will data residency obligations be met? Or for new SaaS platforms, where will data be stored and are the correct cross-border data transfer mechanisms such as Standard Contractual Clauses (SCCs) in place?
• Finally, a DPO’s role in a contract scenario is to review the legitimacy of the decisions made above, and verify that the privacy of data subjects’ personal data will not be jeopardised – regardless of whether the organization is a controller or a processor in the given scenario.

The Core Lessons

• All three roles – CDO, CPO, DPO – are probably required in your organization, even if a DPO is not strictly required it is nonetheless advisable.
• The CDO can also be the CPO, but the DPO must be independent.
• The CDO defines the strategy and is responsible for the vision of what is to be accomplished with your organization’s data. This will include its structure, security, governance, maintenance and creation of value.
• The CPO is responsible for ensuring that the implementation of this strategy will not put the organization at any privacy-related risk, and is tasked with mitigating any risk with a defined and well-executed privacy programme.
• The DPO is the representative of the data subject within the organization, and is primarily responsible for overseeing the activities and ensuring no rights are or could be infringed.
• The more fundamental or complex the operation (such as data quality or intelligent data use), the more likely it is to require all three roles.
• Putting privacy – and better yet, total data safety – at the heart of every data initiative and interaction will make it more likely that every role’s agendas are equally met.

The post Why data-ambitious organizations need more than a Chief Data Officer (CDO) appeared first on Calligo.

Unlike many other areas of compliance, data privacy adherence is not something that can be audited once and then presumed to continue for the foreseeable future.

Data is the most voluminous, mobile, essential and potentially dangerous asset any business owns. It is created, deleted and interacted with constantly, often in new ways by new individuals.

A point in time audit is simply not suitable for continuous oversight of how data is treated.

It is this unavoidable truth that led the GDPR legislators to require organizations that process the most data, and/or the most sensitive data, to ensure that the interests of the data subject are continually and adequately represented in any and all data processing. Hence, the mandated requirement for the Data Protection Officer (DPO).

Under Article 37, DPOs are a mandated requirement if:

• You are a public authority or body
• You are an organisation whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale (e.g. online behaviour tracking)
• You engage in the processing of large volumes of special category data, or data related to criminal offences and convictions

The DPO’s tasks are outlined in Article 39 of the GDPR as:

• To inform and advise the business and its employees of their GDPR obligations.
• To monitor and audit compliance with the GDPR and the business’ data processing policies, including the assignment of responsibilities, awareness-raising and training of staff.
• To manage data protection impact assessments, and monitor their outcomes.
• To cooperate with and serve as the contact point for Supervisory Authorities.

Appointing a DPO internally

Many mandated businesses have dutifully appointed their DPO. They have consciously sought to avoid the expense, time and difficulty of hiring a new head, and distilled the requirements and responsibilities to their raw essences and found a person internally who:

• Understands the way the company ingests and uses data
• Has the standing and breadth of involvement in the business to appreciate every data workflow
• Is experienced in the administrative, legalistic and monitoring sides of compliance
• Is senior and credible enough – as the GDPR requires – to interact with, advise and perhaps argue with the highest levels of the business

This seems suitable. The rights and interests of the data subjects appear to be best protected by a person who has this experience and background, and who can monitor the organization’s activities and ensure their adherence to the rules and the sentiment of GDPR, such as the CIO, CISO, Head of Compliance, Head of Legal, even the CEO.

These organizations seem to be acting in totally good faith. After all, Article 38(6) even allows the DPO role to be secondary role on top of day-to-day operations.

But they have forgotten an underlying principle of the GDPR: the DPO must be independent.

By expecting someone who also has responsibility for the management, oversight, strategy or security of data and how it is processed (i.e. a data controller), to also scrutinise, critique and object to those same processes on behalf of data subjects is creating a conflict of interest.

It is like asking students to mark their own homework. As much as they may be obliged to remain impartial, they have their own obligations, objectives and interests that prevent them from being completely and undeniably impartial.

No matter how ethically they may think they act, it represents a compliance failure.

The danger

And legislators are hot on this. Most Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have issued specific guidance on how to avoid conflict of interest. While this proactive support shows that the SAs intend to help businesses avoid making this error, the flipside is that it also means they will not tolerate failure.

Indeed, fines have started to be handed to firms who overstep, intentionally or otherwise. A prime example is a E50,000 penalty for a Belgian telecoms operator whose DPO was also their Head of Compliance, responsible for the compliance, risk management and audit functions. Dispassionate and independent review of their data protection processes from a data subject’s perspective versus the business’ was deemed impossible.

Some examples of roles often asked to also take on the DPO role

• CIOs
  who define the IT strategy, including where data resides, how it is accessed and who by, and on which platforms.
• CISOs
  who build security strategies that prioritize certain measures or defending against certain cybersecurity threats.
• COOs and CEOs
  who have responsibility and/or influence over how data is processed, for what purpose and through what tools.
• Heads of legal
  who balance the interests of the organization against what is permissible or possible under the law.
• Heads of compliance
  who balance the organization’s needs and operations with the requirements of various regulatory frameworks.
• Heads of departments
  E.g. marketing and HR, who determine how data is processed within their teams in order to meet their objectives.

The whole point of the DPO is to stand apart from the interests of the business and be the voice of the data subject.

How can any of these roles – all of which put the interests of the business first – be compatible with a second role that expects them to demand the business undertakes specific actions that will protect the interests of the data subject? Or even to spot the need for additional actions. External perspective is often key.

Should you outsource your DPO?

A company must appoint a DPO who is free to operate independently. There should be no pressure from management, or risk of insufficient perspective on data-centric processes or strategies that may jeopardize the continuous privacy of personal data.

If you suspect your current internal DPO appointment is putting your GDPR adherence at risk, then you should consider making a change soon.

Reasons for considering outsourcing the DPO role:

• Guarantees impartiality
  Appointing an external party is specifically permitted under the GDPR, due to the ability for the person to avoid conflict of interest, act dispassionately and often challenge senior management easier.
• Greater accuracy
  An external DPO is likely to perform better than an internally-appointed DPO who may be restricted by the working practices of the business or by not wishing to undermine wider objectives.
• Wider skillsets
  The better tier of outsourced DPO services bring not only legal expertise, but also data security and technology, plus experience across numerous jurisdictions and data privacy frameworks.
• A show of trust
  It shows data subjects and Supervisory Authorities that you take the privacy of data seriously, and are not willing to take dangerous short cuts to adherence.
• Faster to appoint
  Some try to hire a dedicated DPO, but find they are in high demand and short supply – some reports say 1 candidate to 10 open roles, and many taking over a year to appoint.
• Significant savings
  Because of how rare suitably qualified people are, they often command a premium salary. Outsourcing the role is far more cost-efficient, and tends to bring wider skillsets.

How Calligo can help

Calligo’s expert and highly-qualified data privacy consultants, who each have a unique mix of legal, technical and infosecurity expertise, are ideally suited to serve as your outsourced Data Protection Officer.

Our DPO as a Service clients range from SME to the largest enterprises, span every sector, multiple geographies and privacy regulations, and process some of the most sensitive categories of data.

Our experts provide ongoing monitoring and audits of the collection and processing of personal data, plus staff training to ensure our clients’ total and ongoing protection. They also represent your organization to both data subjects and Supervisory Authorities .

To find out more about our Data Protection Officer as a Service, click the button below and speak to our expert Data Privacy Consultants

The post Does your DPO have a Conflict of Interest? appeared first on Calligo.

The best data privacy programmes are granular.

They assess the root of every data source, the nuances of every data use and the specifics of every way in which data is stored and shared.

From that finite visibility, liabilities can be identified and appropriate remedies put in place that carefully balance the demands of the data subjects with the needs of the business.

Without such an exact approach, then any privacy programme is paper-thin. Literally.

Policies and documentation do not make a data privacy programme. It has to be lived.

And this privacy-driven visibility of the entire data environment – every source, dataset, workflow and exit point – does even more for a business. It delivers a host of additional benefits beyond simple avoidance of sanctions, ranging from commercial opportunity to innovation.

Discover the 8 Commercial Benefits of Data Safety What is Data Safety? How do I achieve it? And how can I transform it from a cost to an investment?     Find out more

Below are four examples of Calligo Data Privacy Services customers who have used their data privacy programmes’ increased visibility of their data to achieve greater commercial benefits.

Customer Trust

One of our Data Privacy customers is a SaaS CRM provider that routinely handles special category personal data. Data safety and responsibility are non-negotiables for this vendor.

The granularity of Calligo’s data privacy programme led to the design and delivery of a Data Privacy by Design and Default initiative that put data privacy at the beginning of every aspect of development, minimizing risk to existing and even emerging regulations, without sacrificing time to market.

This strong privacy posture has given the customer the confidence to not just claim it is a data-responsible provider, but to even differentiate itself among its competition based on its heightened capabilities.

Re-discovered lost revenue

While working with a global fast-food franchisor, we went into the deep detail of every way in which franchisees shared their customers’ data with the overall franchise organisation. In so doing, we created a data workflow map, showing the routes that personal data took and the liabilities that may be created.

These data workflows coincidentally triggered and overlapped with various invoicing processes. In tracing them through, the franchisor discovered broken processes that were costing $10ks in lost invoicing opportunities. Lost revenue that would have never been rediscovered without the data privacy programme.

Shadow IT resolved, reducing risk, inefficiency and costs

We were also able to show that same customer the amount of risk that their teams’ widespread use of Shadow IT was creating. This ranged from unauthorised data-sharing mechanisms to ungoverned SaaS tools for individual departments, most of which were handling personal data. A familiar story for many businesses.

Not only was the customer able to put in place governance that allowed the safe continued use of some of the tools, but they were also able to spot where the use of others was sacrificing short term efficiency for longer-term inefficiency across the wider organisation. The customer acted positively and assessed why these tools were being introduced and what a better approach may be that could support the entire organization’s needs. This resulted in optimized processes and reduced costs.

Access to markets

One of the most common reasons for businesses wishing to formalise their data privacy approaches is so that they can confidently expand their geographical reach. With data privacy protections in place in more than 130 jurisdictions around the world, a robust and adaptable privacy programme is fast becoming a necessity for any ambitious business.

Similarly, many Data Privacy Services customers have used their deep understanding of their data to quickly attain the data security and privacy certifications required to start doing business with new industries. Healthcare, legal and financial services, and many more, all have their own industry-specific requirements, and the capabilities that granular data privacy programmes provide often account for substantial proportions of those frameworks.

The post Data privacy programmes deliver more than privacy adherence appeared first on Calligo.

It will take effect on January 1, 2023 (the same day as California’s CPRA which amends the current CCPA) and was passed in record-breaking time: less than two months, and by an overwhelming majority.

Such was its speed and simplicity that many other state bills are actively mimicking some of its propositions, including Colorado, Connecticut and Minnesota.

Theoretically, this active copycatting will limit the ongoing differences between state laws, but this of course remains to be seen.

So what are the similarities and the differences that you need to be aware of?

It’s best we focus only on what has actually been passed: CCPA (and where necessary, CPRA), GDPR and of course now Virginia’s VCDPA.

The next likely additions will be New York State, though it is some way off, or Washington State, though it seems engulfed in controversy and a lack of big tech backing due to fears of open floodgates for class action lawsuits. But much may change in their provisions between now and their implementation.

Observations

In short, CCPA, VDCPA & GDPR all overlap, but in different ways.

Any two of the three have substantial differences. But taken as a group, the areas of overlap – both philosophical and practical – are increasing.

For instance, more and more core rights and requirements are reappearing:

• Universal rights:
  • Right to Access;
  • Right to Rectification;
  • Right to Deletion;
  • Right to Data Portability;
  • Right to Object to Data Processing;
• Privacy Notices explaining what PII is collected, what is done with it & why
• Appropriate Security Measures
• Concept of Special Category data – although definitions vary
• Controller / Processor concepts (if not the exact same name) and requirements for binding contracts between them

But it is the differences that create confusion and difficulty.

 What does this tell us?

Businesses have to date focused mainly or even solely on GDPR adherence, even if their activities bring them into the scope of CCPA, VCDPA or even other international laws.

As can be seen, this is not altogether a bad thing – the overlaps in the core principles and the nuances of the differences mean that:

A. Focusing on GDPR means the core universal rights and basic measures and requirements of most other legal frameworks will be addressed.

B. By pursuing solid, continuous and genuine GDPR adherence, there is tangible evidence of consumers’ rights being considered and respected, which goes a long way with authorities when the nuanced differences of other frameworks are not fully met.

However, there is still substantial risk with not appreciating local responsibilities. Local regulators exist to protect their own consumers and their own local rights, so while “honest efforts” will likely be an excuse in the early days, leniency will not be everlasting.

Businesses must start taking an intelligent approach to their liabilities, building a global privacy program that identifies the common ground across all relevant frameworks, and also introduces variations in data handling processes, internal and external policies and even company-wide strategy as soon as borders are crossed in any way.

It may be a lot to ask, but the benefits of the granular visibility of data workflows and interactions that this program requires can be significant, including brand trust, filled security gaps and even process efficiency

And until the fabled federal law arrives – which it must surely do – it is utterly necessary. After all, more states are coming with their own laws that while sharing plenty of similarity, will inevitably bring more individuality: Florida, Colorado, New York, Connecticut, Washington, Oklahoma, Ohio and Minnesota.

For more commentary on the future of data privacy, take a look at the Periodic Table of Data Privacy: an industry-renowned project that seeks to keep privacy professionals and business leaders up to date and informed on the practical application of data privacy

Periodic Table of Data Privacy The Data Privacy Periodic Table is an industry-renowned, easily digestible view of how the privacy world fits together   Download

The post Data Privacy Update: Virginia Consumer Data Protection Act (VCDPA) appeared first on Calligo.