Benesch Data Security and Privacy Webinar

Data Security and Privacy Webinar:

This page does not include all of the takeaways from the webinar. For full value, request access to the webinar recording by emailing

Major Topics:

Data Security & Privacy Legal Landscape in the US

Federal Privacy Laws – FTC Fair Information Practices and Principles

  • Notice and Awareness
  • Choice and Consent
  • Access and Participation
  • Integrity and Security
  • Enforcement and Redress

California Consumer Privacy Act (CCPA)

Requirements of CCPA service providers

  • Update contracts with service providers
  • Update your privacy policy
  • Enable consumer requests
  • Implement employee training

Impactful Foreign Laws and Regulations

GDPR in the EU – Data protection principles

  • Lawfulness  – requires a legal basis for processing
    • Consent
    • Performance of Contracts
    • Compliance with Legal Obligations
    • Protection of Vital Interests
    • Performance of Tasks Carried Out in the Public Interest
    • Legitimate Interests of the Controller
  • Purpose Limitation – reusing data
    • The new purpose must be compatible
    • Links between the original and new purpose
    • The context in which the data was collected
    • Nature of the data
    • Consequences of new processing
    • Existence of appropriate safeguards
  • Transparency – how and why the data is being used
    • Certain information
    • Plain Language
    • Provided at the time the data is collected

GDPR in the EU – Rights of the Data Subject

  • Right of Access – Access to the data afterward
  • Right to Rectify – allows for the subject to change or correct
  • Right to Erasure (the Right to be Forgotten) – erasure of the data
  • Right to Restriction of Processing – restrict processing based on conditions
  • Right to Data Portability – have it transmitted to a different controller
  • Right to Object – allows to object to the data processing, the controller has to suspend all of the processing until it can prove the data was collected with integrity
  • Breach Notification – A controller has to alert the authorities within 72 hours of being aware of a breach, as well as the data subjects without undue delay

GDPR in the EU – Sanctions

  • Warnings for first and non-intentional non-compliance
  • Audits
  • 20 million Euro or 4% of annual worldwide turnover, whichever is greater.

Internal Control Mechanisms and Guiding Principles

Keys to a Successful Compliance Program

  • Identify the Types of Information Collected and Processed
    • Become familiar with all kinds of records in your company
    • Involve key stakeholders
  • Survey the Legal and Regulatory Landscape
    • Understand the US Industry-specific laws
    • Understand the size of your organization, nature and location of the business, and the type of data being collected
  • Gather and Examine Existing Internal Policies
    • Data retention and destruction policies
    • Privacy policies
    • Data security policies
    • Data breach notice plans
    • Employee training materials
    • Acceptable use policies
    • Internal monitoring processes
  • Assemble an Information Security Team and Assess Risks
    • Determine who will be responsible for compliance
    • Buy-in from decision-makers
    • Obtain input from across your organization
    • Generate a list of risks associated with noncompliance
    • Identify mitigation methods
  • Design and Implement Solutions Using a Privacy-By-Design Approach
    • Consider the entire data lifecycle
    • Possible actions include:
      • Develop a system for monitoring and tracking network access
      • Design effective employee policies and procedures
      • Develop an incident response plan
      • Conduct regular audits