Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Bearer

How adopting an OKR process has helped the Bearer team stay aligned

Keeping a team aligned isn’t easy. Not every meeting can possibly include every single team member, and updating a multitude of Notion pages with all the details regarding every discussion is an entire project in itself. The data that informs decisions is shared to separate groups of people, many of which don’t necessarily work closely together.

The European Commission's new SCCs for data transfers

The GDPR recently marked its three-year anniversary, but one aspect of compliance for many companies is much older. Standard contractual clauses (SCCs), the mechanisms that most international organizations used to legally transfer data between the European Economic Area (EEA) and third party countries—like the US—are over a decade old. For organizations moving data in and out of the EEA, the last few years have been complicated.

Do you need a DPA from subprocessors?

When it comes to GDPR compliance, contracts are some of the most powerful tools you have to show to regulators. They allow you to receive legal guarantees from your service providers and third parties that protect you from liability in the event of a breach in compliance. You aren’t off the hook for everything, but at the very least you won’t be liable for negligence.

Why Google's new privacy labels are important

When Apple released their privacy nutrition labels, it was seen as a key turning point in platform-level privacy. Even so, while Apple holds control of mobile device profits and industry mind share, they do not account for the majority of mobile devices globally—especially in developing countries. The iPhone is expensive, and therefor any of its privacy protections become a benefit only to those that can afford their devices.

Facebook loses its fight to transfer EU data to the US.

The Irish High Court, Ireland's data privacy watchdog, has won a legal fight over Facebook's data flows between the EU and the US. When the EU-US Privacy Shield was ruled insufficient in protecting the privacy of EU data subjects last year, many companies were left in an uncomfortable state of limbo waiting. Any organization moving data about EU residents from the EU to the US has been in the dark on whether they were still in compliance.

Norwegian DPA issues GDPR non-compliance notice to Disqus

This year has already seen over 100 GDPR non-compliance decisions. Mostly limited to regional companies, but a few have made larger news. The latest company poised to be fined is Disqus. Disqus is a commenting platform that companies can embed in their sites or applications to allow visitors to leave comments on individual articles or pages. Norway's data protection authority has notified Disqus that they intend to issue a non-compliance fine of NOK 250,000,000 (about EUR 2,500,000).

Article Six: The highest risk of GDPR fines

Data breaches are big news. They come with a major hit to the trust customers have with a business, and even parts of the world that don't have data privacy laws will often have some form of data breach law. It might be surprising though, for those focused on GDPR, that data breaches don't account for the greatest number, and greatest monetary value, of GDPR fines.

Global Privacy Control has the potential to solve the consent banner problem

Data privacy regulation has made great steps toward protecting the privacy of people using web products, but it has come with user experience friction. Consent and disclosure banners are a solution for compliance, but they are not elegant. Browser makers, the W3C, and a group of participating organizations are working to fix that. The first step is a proposal called Global Privacy Control (GPC).

What is a ROPA, why you need one, and how to make the process easier.

Working toward GDPR compliance means taking inventory on the data you collect and process. You've mapped your data, have a catalog of impact assessments, but now you need a way to present it in a way that regulators can look over. As far as the general data protection regulation (GDPR) is concerned, every piece of data processing you do needs a record, and those records are stored in a record of processing activities (ROPA). Regulators use a ROPA to get a full picture of your data processing.