Categorizing data as “sensitive” is a common feature in U.S. state privacy law, as well as the EU’s GDPR (which uses the term “special category” for similar personal data).[1] What is considered sensitive data varies from state to state, as well as the obligations that come with it. Colorado, Connecticut, Florida, Indiana, Montana, Oregon
privacy framework
Aug. 15 WEBINAR | The New EU-U.S. Data Privacy Framework: What You Need to Know and Practical Considerations
Please join members of Greenberg Traurig’s Data Privacy & Cybersecurity team for a 1-hour, CLE-eligible webinar “The New EU-U.S. Data Privacy Framework: What You Need to Know and Practical Considerations” Aug. 15 from 12 – 1 p.m. ET.
On July 10, 2023, after years of negotiations between the European Commission and the U.S. government, the…
New EU-U.S. Data Privacy Framework and Website Now Effective for Cross-Border EU Personal Data Transfers to the United States
On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision for the United States, resulting in the new EU-U.S. Data Privacy Framework (DPF or Framework). For more information, see our European Commission Adopts EU-U.S. Adequacy Decision blog post.
Qualified Adequacy Decision for the United States. Typically, EC…
European Commission Adopts EU-U.S. Adequacy Decision
On July 10, 2023, the European Commission adopted its long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (the “Framework”) thereby concluding that the United States ensures an adequate level of protection for personal data that are transferred from the European Union to companies in the U.S. that participate in the Framework.
The…
Do privacy frameworks ensure that a company is compliant with data privacy laws?
No. A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime. As a result, a company can utilize a…
UPDATED FOR COLORADO: What is considered sensitive personal information?
Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not…
Thinking beyond the law: Does the ISO 27701 privacy framework use the same principles that are found within the ISO 29011 framework?
The ISO 29100 privacy framework sets forth the following eleven core principles:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention and disclosure limitation
- Accuracy and quality
- Openness, transparency, and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
The ISO 27701 privacy framework is not explicitly organized using the…
Thinking beyond the law: If our organization adopts the ISO 27701 privacy framework, how many controls do we need to address?
While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to an organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards. As a result, it is organized based upon the assumption that an organization already has a security program that is built off…
Thinking beyond the law: What is the ISO 27701 privacy framework?
In 2019, the International Organization for Standards joint technical committee ISO/IEC JTC1, Information technology subcommittee SC27, developed a privacy framework that was intended to build off of the existing ISO data security standards – i.e., ISO/IEC 27001:2013 (Information security management systems) and ISO/IEC 27002:2013 (Code of practice for information security controls) – by integrating into…
Does the NIST privacy framework require that companies score themselves?
No. The NIST privacy framework recommends that companies summarize their maturity with respect to each category by using four “Tiers.” The Tiers are intended to describe whether the current practices of the company with respect to the domain are partially in place (Tier 1), risk informed (Tier 2), repeatable (Tier 3), or adaptive (Tier 4).…