LITIGATION SUPPORT TIP OF THE NIGHT

Nymity, a data privacy compliance company, has developed a privacy management accountability framework. It has helped organizations around the world with complying with privacy laws. See a copy of the framework below, and here. In a January 14, 2019 letter to NIST it provided an outline of its PMAF in response to a general inquiry by NIST for information on a privacy framework.

Nymity's framework is not intended to be a checklist. An organization need not perform all of the 130 tasks in each of the 13 listed categories. It should instead select those which most clearly address its own concerns. Organizations can use the framework to show due diligence in attempting to prevent data breaches. The framework can help an organization confirm that it has procedures in place that are followed by each of its departments.

Nymity can cross reference data privacy laws to the framework to show how various regulations require organizations to take differing or equivalent steps:

The letter lists how likely different types of data processing are to affect the rights of individuals:

The framework covers these 13 categories, in which are given some of the key steps an organization can take to ensure data privacy:

1. Maintain Governance Structure - appoint Data Protection Officer.

2. Maintain Personal Data Inventory and Data Transfer Mechanisms - register databases with regulators.

3. Maintain Internal Data Privacy Policy - the organizational code of conduct should include privacy concerns.

4. Embed Data Privacy into Operations - integrate data privacy into record retention practices.

5. Maintain Training and Awareness Program - conduct privacy training reflecting job specific content.

6. Manage Information Security Risk - take measures to encrypt data.

7. Manage Third-Party Risk - confirm the data privacy measures of vendors.

8. Maintain Notices - provide notice in contracts of data privacy policies.

9. Respond to Requests and Complaints from Individuals - investigate root causes of data privacy complaints.

10. Monitor for New Operational Practices - guidelines for Data Protection Impact Assessments (DPIA) and Privacy Impact Assessments (PIA).

11. Maintain Data Privacy Breach Management Program - maintain a log to track data privacy incidents.

12. Monitor Data Handling Practices - conduct internal audits.

13. Track External Criteria - seek legal opinions regarding new laws.

Max Schrems, the plaintiff in the case in which the EU Court of Justice ruled that the European Union/United States Privacy shield was inadequate under the GDPR for data transfers, has started an organization, NYOB (None Of Your Business) which files GDPR related complaints. NOYB has created a site, GDPRHub to organize information related to the GDPR.

The site posts decisions (and summaries of those decisions) by European data protection authorities and the courts of various countries in the EU.

The site also provides outlines for the data protection laws in each European Union member country.

GDPRHub is still a work progress, but it's a good way to get a quick handle on GDPR related caselaw.

NOYB filed a complaint with France's Commission nationale de l'informatique et des libertés (CNIL) which led the commission to issue a 50 million euro fine on Google for failing to gain users' consent to process data.

Earlier this month, California voters approved Prop 24 for new legislation which will replace the California Consumer Privacy Act (CCPA), which was discussed in the Tip of the Night for December 31, 2019. The California Privacy Rights Act will supersede the CCPA on January 1, 2023. The CPRA is designed to remove the burden on small businesses by exempting those which collect personal information from less than 100,000 consumers. Under the CCPA businesses had to comply with the provisions of the law if they collected data from more than 50,000 consumers.

Under the new law, businesses can request up to 90 days to disclose, correct, or delete personal information pursuant to an individual's request when a period of three months is reasonably necessary to comply with the request.

The law creates a new category of data called, 'sensitive personal information' which includes SSNs; passport IDs; driver license IDs; login information for financial accounts; geolocation data; email and text message content; genetic data; and biometric data used for identification.