Federico Marengo’s Post

Canadian Businesses and Privacy: A Look at the Numbers Businesses aware of obligations (88%) & taking action to comply with laws (76%). Regularly provide staff with privacy training (33%). #CanadianPrivacy #CASLcompliance

🛡️ New State Privacy Laws in the US 🛡️ Several new state consumer privacy laws are set to take effect in 2024, including those in Florida, Oregon, Montana, and Texas. These laws introduce stringent requirements for data controllers and processors, emphasizing the protection of personal information and granting consumers greater control over their data. Key provisions include: 🇺🇸 Oregon Consumer Privacy Act: Effective July 1, 2024, it requires businesses to obtain explicit consent before processing sensitive data and grants consumers rights to access, correct, delete, and port their personal data. 🇺🇸 Texas Data Privacy and Security Act: Effective July 1, 2024, it mandates opt-in consent for the sale of sensitive personal information and applies to a broad range of businesses operating in Texas. 🇺🇸 Montana Consumer Data Privacy Act: Effective October 1, 2024, it includes robust consumer rights and imposes new obligations on data controllers regarding the processing of personal information. These laws reflect a growing trend toward more comprehensive data privacy protections at the state level, responding to the evolving digital landscape and increasing consumer demand for privacy. 💡 Challenges and Opportunities 💡 While these regulations present challenges, they also offer opportunities for businesses to build trust with their customers by prioritizing data privacy, compliance and security. Adopting best practices in data management and ensuring transparency in data processing can set companies apart in a competitive market. 🚀 How Tillion.ai Can Help 🚀 Tillion isn’t just an AI agent, it's an entire team. Imagine having a privacy expert that reviews your data policies and agreements to understand how data can be used, and a privacy engineer that continuously monitors your codebase to detect and prevent data misuse. That’s Tillion AI.

Consider the following research findings: - 63% of Internet users believe most companies aren’t transparent about how their data is used, and - 48% have stopped shopping with a company because of privacy concerns. (Staying cyber-secure while working from home by Ratnesh Pandey) - 87% of users care about their data privacy and believe the way a company treats their personal data is indicative of the way it views them as a customer. (Cisco 2023 Consumer Privacy Survey) - 88% of users are concerned about risks in how companies use their personal data in generative AI. (Cisco 2023 Consumer Privacy Survey) - 37% of users have terminated relationships with companies over data, up from 34% only two years ago. (Cisco 2022 Consumer Privacy Survey; not in 2023 study.) Yet, many companies don't consider deeply enough how well their data privacy management effects business strategy. Very few take in to account or measure the customer experience as part of privacy metrics. Instead they focus on programmatic measures, e.g., compliance with laws, audit assessments, numbers of things - updated policies, data subject requests, trainings, privacy assessments, data breaches, etc. These companies add compliance as an "add-on" to their operations, divorced from their strategy. The benchmark companies, in contrast, spend the majority of their efforts in understanding how to create value for their customers and employees and deepen their relationships with them. They naturally embed required compliance efforts within their operations. They achieve their strategy AND their compliance is a natural - and necessary byproduct - of building enduring relationships with customers, employees and other stakeholders. One such company is 37Signals, the makers of Basecamp. I've been a delighted Basecamp customer for nearly two decades. They have a Customer Bill of Rights that they live by. Check it out. The challenge, should you choose to accept it... Transform compliance so that it is part of your business strategy. Start by asking, "How can we ensure that our business strategy is clear, understood and consistently executed according to our lived values?"

Convincing a resistant team about the importance of data privacy requires a combination of clear communication, real-world examples, and alignment with their interests. Here’s how you can approach this: 1. Educate with Real-World Examples Share case studies of companies that faced massive fines or reputational damage due to privacy breaches (e.g., GDPR fines, Facebook-Cambridge Analytica scandal). Highlight the financial and operational impact of data breaches, including lawsuits, loss of customer trust, and regulatory penalties. 2. Highlight Legal and Regulatory Implications Explain key data privacy laws like GDPR, CCPA, or HIPAA, and emphasize the potential for penalties if the organization fails to comply. Show how compliance protects the organization from lawsuits or fines, which can directly impact their work or budgets. 3. Emphasize Customer Trust and Business Value Discuss how privacy concerns affect customer trust. Customers are increasingly choosing businesses that prioritize their data security. Point out studies showing that companies with strong privacy practices often have a competitive advantage and customer loyalty. 4. Speak Their Language Tailor your message to align with their goals. For example: For marketing teams: Show how respecting privacy builds brand loyalty and minimizes opt-out rates. For engineers: Emphasize efficiency in building systems with privacy in mind from the start, avoiding rework later. 5. Demonstrate the Personal Impact Relate privacy to their own lives. Ask questions like, "How would you feel if your personal information were exposed?" This can make the issue more tangible and relatable. 6. Provide a Roadmap Show that addressing data privacy doesn’t have to be overwhelming. Outline simple, incremental steps the team can take to improve practices. 7. Leverage Authority and Support If possible, bring in an expert or external consultant to provide credibility to your argument. Highlight that competitors or industry leaders are prioritizing data privacy. 8. Make it a Team Effort Involve them in brainstorming sessions on how to improve data privacy practices. This inclusion can foster buy-in and reduce resistance.

Data Security with Jeff Sizemore In the USA there is no federal law for the right of privacy, with that being said Jeff still considers people’s privacy rights to be as important as ever. In the UK, we have the right of privacy embedded in law under the GDPR, we feel secure that organisations have the right to make sure they have measures in place to protect people’s data. As we have seen week on week, if organisations are not compliant there will be consequences either damage to reputation or large fines being imposed by the ICO. The recent case of Uber (based in Netherlands) being Fined €290,000,000 For Illegal Data Transfer. Some of the key features of effective data management I believe are having tight security measures in place, governance being UpToDate, having proper polices and guidance in place. Jeff on Recruitment into Privacy – Certification is key and someone who understands the technology and the controls around data security is more likely to get hired.   “Trust has become a key issue in peoples decision making processes”.   Jeff suggested privacy could be a ‘paid for feature’ in the future as people start to ask more questions around their privacy matters.   What’s your opinion privacy professionals? Feel free to comment and share your views. Jamal Ahmed - Interested in your opinion.   In my opinion, I don’t think we should be paying organisations/businesses for them to protect and safeguard our data. I think this is a human right we have, which organisations should protect. It gives the consumers the power to decide which organisations they wish to share their data with and which they would not.    

Data Privacy in the Era of Big Data: Challenges and Solutions In today's digital age, data has become a valuable commodity. As businesses and organizations collect and analyze vast amounts of personal information, ensuring data privacy has become a critical concern. With high-profile data breaches making headlines and consumers becoming more aware of their digital footprint, it's essential to examine the challenges of protecting personal data and explore solutions to safeguard privacy rights. Key Points: 1.    The Challenges of Protecting Personal Data ·     The exponential growth of data collection and storage ·     The complexity of data ecosystems, with information shared across multiple platforms and jurisdictions ·     The rise of AI and machine learning, which rely on large datasets to function effectively ·     The potential for data misuse, such as targeted advertising or discriminatory practices   2.    The Role of Legislation in Safeguarding Privacy ·     The impact of the General Data Protection Regulation (GDPR) in the EU ·     The California Consumer Privacy Act (CCPA) and its influence on U.S. privacy law ·     The need for comprehensive federal privacy legislation in the U.S. ·     The importance of global cooperation in enforcing privacy standards   3.    Best Practices for Organizations to Ensure Compliance ·     Implementing robust data security measures, such as encryption and access controls ·     Conducting regular privacy impact assessments and audits ·     Providing transparent privacy policies and obtaining informed consent ·     Appointing dedicated privacy officers and investing in employee training ·     Embracing privacy by design principles in product development   Data privacy is a concern that affects us all, and it's crucial to have an informed discussion about the challenges and potential solutions. ·     Data breaches and unauthorized access ·     Misuse of personal information by companies ·     Lack of transparency in data collection and use ·     Insufficient legal protections for consumers] I encourage you to vote and share your perspective in the comments. If you have any personal experiences or insights related to data privacy, please feel free to share them as well.   Navigating data privacy in the age of big data is a complex challenge that requires ongoing attention and collaboration. By staying informed, advocating for robust legal protections, and adopting best practices, we can work towards a future where personal data is respected and protected. Let's continue this important conversation and find solutions that balance the benefits of data-driven innovation with the fundamental right to privacy.   #DataPrivacy #BigData #GDPR #CCPA #CyberSecurity

I have been up to a lot recently, but what I want to comment on today concerns data protection. Post-M&A activities related to data protection involve several interesting issues. One of the simplest is ensuring that the privacy policy of the acquiring entity is updated to reflect the acquisition. When multiple jurisdictions are involved, including the EU, there is typically a main privacy policy, often based on the GDPR as the gold standard, with jurisdiction-specific sections addressing matters not covered in the main policy. The role of the privacy lawyer here includes identifying inconsistencies between the main privacy policy and the legal requirements of each relevant jurisdiction, ensuring that the jurisdiction-specific section only addresses what the main policy does not already cover. For example, when handling the Nigeria-specific section, the key questions include: considering the provisions of the NDPA, NDPR and the Implementation Framework, are there inconsistencies between the main privacy policy and Nigerian law? What provisions required under Nigerian law are missing from the main policy? Another point to note—using Nigeria as an example again —is that if a Nigeria-specific section includes provisions not expressly required by Nigerian law but does not conflict with it, it is often best to leave them for the sake of transparency. For instance, if a privacy policy includes a provision stating that the controller would register with the NDPC as a data controller/processor of major importance, the initial thought might be to flag it as unnecessary since this is not required in a privacy policy under Nigerian law (based on section 27 of the NDPA and reg. 2.5 of the NDPR). However, as the provision does not conflict with the law, it may be best to retain it. In any case, reg. 2.5 of the NDPR states that “the privacy policy shall, in addition to any other relevant information, contain the following…” The lesson here is that small details like these can shape the bigger picture in privacy compliance, as the goal is not merely to tick boxes but also to foster transparency and trust That is all for my musings today. Cheers!

As privacy takes center stage in 2025, businesses must adapt to new regulations, AI-driven challenges, and rising consumer demands for transparency. Your Privacy Expert shares valuable insights on what lies ahead and how to prepare.

[Australia] Upcoming Australian Privacy Reforms The Attorney-General and Privacy Commissioner’s recent announcement signals significant reforms on the way. Individual Rights Take Center Stage: - Transparency in Automated Decisions: Individuals will have the right to understand how automated decisions (think algorithms) that impact them are made. This necessitates clear communication regarding the data used and the decision-making process. - Potential Rise in Privacy Lawsuits: We may see an increase in legal action for serious privacy breaches, with the government considering a new statutory tort for such cases. - Empowering Individuals: The reforms might grant individuals the ability to take direct legal action for privacy violations, further emphasizing the importance of responsible data practices. Privacy Risk Governance and Data Retention: - Expanding PIAs: The government is exploring mandatory Privacy Impact Assessments (PIAs) for a wider range of activities, especially those with high privacy risks like facial recognition technology. - Data Retention Clarity: Regulations requiring businesses to set clear data retention periods and communicate them transparently in privacy statements are a potential future. The Privacy Commissioner's Call to Action: Prioritize Fair & Reasonable Data Handling: - As highlighted by Privacy Commissioner Carly Kind, businesses should prepare for a data handling approach centered on fairness and reasonableness. This means considering individuals' perspectives on how their data is used and minimizing potential harm. Embrace Privacy-Enhancing Technologies: - Encouraging the use of emerging solutions like homomorphic encryption and synthetic data to ensure compliance and responsible data practices.

Chile is making progress with its Privacy Law!Now, how do you start a Privacy program? Make it simple. I’ve been working in Privacy for many years and here are my tips to start: 1) Start with a draft of your ROPAs (Records of Processing Activities): you can’t protect what you don’t know. So sit down and make a list (by department) of which personal data fields your company is collecting (start with collection and with the data you collect for your own purposes as “data controller”: basically when you decide what to collect and what to do with it), bonus points if you meet with someone of that department and ask them. HR - list of employee data IT: employee data - IP, activity logs Finance: invoicing personal details of vendors, payroll Sales: client data + Data if your customers/clients when they get your services Then continue with any data you process or collect while you provide services to another company: you most likely be a “data processor” here and will have to comply with the client instructions and delete the data when they tell you to do so. 2) While you do the list above, think if you really need to collect that data. Write down why you need it: is it to perform a contract? To comply with your own legal obligations? Is it because you asked people for their consent? Remember that consent of your employee’s data is usually not valid (not freely given). 3) Now you can start drafting your Privacy Policy. Of course I recommend using ours at TELUS International as a start https://lnkd.in/eXhXNB-m Drafting your policy will make you ask yourself many questions: With whom are you sharing the data? How long are you keeping it? 4) Once you have clarity on those questions, start drafting your Data Processing Agreement templates: one that you use with your vendors (controller- processor) and one you use with your own clients (this one will depend of your industry, but most -not all- service providers are processors). Openai has their own template available online on their website: https://lnkd.in/ey5hKksG 5) Start assessing the risk of your processing activities as a controller. Do you need a Data Privacy Impact Assessment? Ask yourself that question with this template: https://lnkd.in/evqt47B5 Do one if you answer Yes. Use this to do one: https://lnkd.in/e2AsUNsJ 6) Finally, with the work you did with your ROPAs in point 1) you should have an idea of which data you hold from people. Start drafting a process on what to do when you get your deletion and access requests from people: - work together with IT, they might be able to get you the data automatically - don’t delete anything if you need it to prove your own compliance with the law. This is just a start but it will help you a lot as guidance. Any other tips?