Executive Summary of the California Consumer Privacy Act (CCPA)

On June 28, 2018, California signed into law Assembly Bill 375, the California Consumer Privacy Act (“CCPA”).  Scheduled to be effective January 1, 2020, the CCPA is based on the principles that, “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against[…]

GDPR: Understanding the Impact of Automated Decision Making and Profiling (Whitepaper)

Profiling and automated decision-making are not prohibited under GDPR.  However, both of these activities are subject to detailed requirements on when they can legitimately be performed and what must be communicated to data subjects. Key Questions: 1| How are automated decision-making and profiling defined under GDPR? 2| How do the general rules of GDPR apply[…]

GDPR: Understanding the Roles and Responsibilities of Cloud Service Providers (Whitepaper)

Whether it is a software or infrastructure as a service (SaaS/IaaS) almost everyone is relying on the cloud. Have you considered how this impacts your GDPR strategy? In this whitepaper we set out to clarify the role of cloud service providers as well as users of cloud services.  Key Questions: 1) What is your role(s)[…]

New Guidance Clarifies GDPR’s Data Protection Impact Assessment (DPIA) Requirements

The Data Protection Impact Assessment (DPIA) is a significant new burden on data controllers under GDPR.  As many have noted, GDPR does not clearly outline when a DPIA is required, instead referring to processing “likely to result in a high risk to the rights and freedoms of natural persons.” Article 35(4) charges supervisory authorities with[…]

GDPR: Simplifying the Data Protection Impact Assessment Requirement (Whitepaper)

The EU’s new General Data Protection Regulation (“GDPR”) introduces the concept of a Data Protection Impact Assessment (“DPIA”); defined as an analysis of the risks of processing operations on the “rights and freedoms” of data subjects.This means that if your company is processing the data of individuals who are EU citizens you may have to[…]

GDPR: Simplifying the Complex Vocabulary of the General Data Protection Regulation (Whitepaper)

Approved by the European Union on April 14, 2016 and fully enforceable beginning May 25, 2018, General Data Protection Regulation (GDPR) is arguably the most wide-reaching change to privacy requirements to date. How wide reaching is GDPR? If you are located in the EU and control or process personal data, if you offer goods or[…]

Quality Work Does Not Mean Quality Service

“Managing the Professional Services Firm” by David Maister is considered to be “core canon” among consulting professionals. Though it was originally published over 25 years ago (1993) it has aged gracefully and almost all of its content is still relevant today. One of our team’s favorite distinction, as pointed out by Maister, is the difference[…]

GDPR: Simplifying the General Data Protection Regulation (Whitepaper)

Approved by the European Union on April 14, 2017 and fully enforceable beginning May 25, 2018, General Data Protection Regulation (GDPR) is arguably the most wide-reaching change to privacy requirements to date. How wide reaching is GDPR? If you are located in the EU and control or process personal data, if you offer goods or[…]

Developing an IT Audit & Security Plan for Microsoft Office 365

Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and[…]

Symantec, Illegitimate Certificates & Why We Should Care

In 2015, Symantec was caught issuing improperly signed cryptographic certifications which could be used to break HTTPS and put internet users at risk. Some of the improperly issued certificates were issued to Google owned domains, which if used maliciously, could allow for impersonation of HTTPS protected Google websites. Understandably, Google was very upset and responded[…]