.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Ch-Ch-Ch-Changes
Hello all, and thanks for reading today.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
For those of you who pay close attention to the data privacy space, the data privacy advocacy group “none of your business” (stylized as noyb) will be a familiar name.
noyb has recently released the results of a new survey (linked below) recording the responses of over 1,000 data protection officers (DPOs), and the results are illuminating. (Although we do need to keep the potential for bias in mind—noyb can’t be considered a neutral party in the data privacy space).
The headline findings included:
- 70% of respondents believe that authorities need to issue clear decisions and enforce the GDPR to ensure compliance, and
- 74% say that authorities would find “relevant violations" if they walked through the door of an average company.
These findings don’t surprise me, however. After all, what DPO is going to advocate for unclear decisions and less enforcement? What DPO isn’t acutely aware of the businesses’ compliance shortcomings?
Rather, I think some of the more interesting findings refer to the conflict between supporting compliance and supporting the business. DPOs and privacy professionals as a whole are in a tough spot; on the one hand, they have to minimize risk and support compliance, but on the other, they have to be an enabler of the business and not a blocker. The noyb report highlights this conflict, finding that:
- 46% of respondents said that sales and marketing were actively pressuring them to limit compliance.
- 32% felt pressured by members of senior management.
- 56% of respondents said it was difficult to convince the marketing department to pursue compliance.
- 38.5% had problems convincing senior management.
Figures like these make me wonder: Would sales, marketing, and senior management find compliance so burdensome if they enabled their privacy professional or DPO to the fullest extent? Is compliance a zero-sum game or can sales, marketing, senior management, and privacy all win at the same time? I’m inclined to think the latter.
Best
Arlo
P.S. Our CPRA enforcement webinar is taking place TODAY at 1 pm EST, 10 am PST. If you see this early enough, you might still be able to reserve your seat!
.png?width=800&height=450&name=KPMG%20Data%20mapping%20webinar%20newsletter%20CTA%20(1).png)
Top Privacy Stories of the Week
President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data
President Joe Biden is preparing to issue an executive order aimed at prohibiting US adversaries from accessing US personal data. The draft order targets “highly sensitive” data, including genetic and location information, and would bar foreign adversaries from obtaining this data through legal means such as intermediaries, data brokers, third-party vendors, employment agreements, or investment agreements.
ChatGPT Is Violating Europe’s Privacy Laws, Italian DPA Tells OpenAI
Following a months-long investigation of ChatGPT by Italy’s data protection authority, OpenAI has been notified that their AI chatbot is violating EU laws and was given 30 days to respond with a defense against the allegations. Specifically, the Italian data protection authority alleges that ChatGPT is in violation of Articles 5, 6, 8, 13, and 25 of the GDPR.
'Mother of All Data Breaches'—26 Billion Records Leaked
Cybersecurity researcher Bob Dyachenko and Cybernews.com team have discovered billions upon billions of exposed records on an open instance. The Mother of all Breaches (MOAB for short) includes records from thousands of compiled and reindexed leaks, breaches, and privately sold databases. Ultimately, the records comprise 12 terabytes of information, spanning over 26 billion records of contains LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data.
noyb Study: 3 out of 4 Experts Say DPAs Would Find Violations at Most Companies if They Investigated
To mark this year’s Data Protection Day on 28 January, European data privacy advocacy group noyb (or “none of your business”) conducted a survey among more than 1000 data protection professionals working in European companies. The report highlighted how many businesses may be out of compliance, how DPOs face pressure to go easy on compliance, and more.
Apple Warns Proposed UK Law Will Affect Software Updates Around the World
Amendments to the UK’s Investigatory Powers Act (IPA) could enable the UK government to “secretly veto” privacy and security updates to Apple’s products and services, said the tech giant. If passed, the amendment would require that any company that fields government data requests must notify UK officials of any updates they plan to make that could restrict the UK government's access to this data, including any updates impacting users outside the UK. Apple contends this would enable the UK Secretary of State to approve or refuse technical changes.
Osano blog, in partnership with Venminder:
Managing Vendor Risks With Privacy and Information Security Team Collaboration
When third-party vendors handle your consumers’ data, it can be a major challenge to maintain and monitor compliance—not to mention ensure your consumers’ data stays safe. Vendor risk management can help, but effective vendor risk management requires robust collaboration between your privacy and information security teams. Find out how to encourage that collaboration here.
If you’re interested in working at Osano, check out our Careers page!