Tag: compliance

Education, GDPR, General Data Protection Regulation, Tip of the Week

GDPR and Running Your Business

RISC

We at RISC Management and Consulting have our online store through Shopify and use a multitude of applications (apps). We’ve always managed our business in a transparent and ethical way. However, with the GDPR’s forthcoming effect tomorrow, we want to help you take steps to assure merchants your apps are GDPR compliant!

General Data Protection Regulation or GDPR is the EU Regulation 2016/679. This regulation deals with the “protection of natural persons with regard to the processing of personal data and on the free movement of such data”.  It will be applicable as of May 25th, 2018 in all member states to integrate data privacy laws across Europe. The regulation came into force on May 24th, 2016. If you serve sellers, retailers, and businessperson, that could have customers based in Europe, then this regulation will affect you.Coming soon

Key Issues of the GDPR

  • Consent
  • Data Protection Officer
  • Email Marketing
  • Encryption
  • Fitness/Penalties
  • Information Obligations
  • Order Processing
  • Personal Data
  • Privacy by Design
  • Privacy Impact Assessment
  • Records of Processing Activities
  • Right of Access
  • Right to be Forgotten
  • Third Countries

Shopify apps

Be mindful of data request and permissions needed

When merchants are deciding to connect your app to their store, it’s important for them to be clear on which parts of your store they’re giving you access to when they install your app.

if you request any permissions that don’t seem to align with what your app provides, we recommend that you:

  • Update your app listing to be clear on why your app requires permission to that/those piece(s) or data
  • Consider if your app does indeed actually require that permission, and disconnect from that API endpoint if it doesn’t

Merchants know that apps often need access to certain pieces of data in order to carry out certain actions or features. However, it’s important to remember that asking for permission to data that doesn’t seem necessary for your app to access can erode merchant trust.

Communicate your use of data through a privacy policy

Beyond letting merchants know what information you’ll be accessing, GDPR also requires that you provide all users of your product (i.e. your app) with detailed information about how exactly your app uses the personal information it collects. One simple but in-depth way to do this is through your app’s privacy policy. 

Ensure you have a secure, organized system for storing data

One of the most important data rights that GDPR specifies is the right all individuals have to access, correct, or have their personal data erased. This means that not only do you need to have a process for retrieving and deleting merchant data upon request, you also need to be able to easily delete your merchant’s customer’s data from your app as well. The first step in being able to do this is to ensure that all personal data you collect is stored in a secure and organized way.

We included the Fact Sheet from the European Commission where they addressed several improvements to execute with data protection violations in the future.

Education, HIPAA / HITECH Enforcement

Resolve to Manage your Privacy and Security in the New Year

RISC

RISC Happy New Year 2014 Silver

There’s nothing like a fresh, new calendar to inspire new initiatives and renewed emphasis on business improvements. So it is with information security, too, and we here at RISC Management & Consulting offer a few ideas for your business resolutions – or in some cases, revolutions — in the New Year.

Prepare a Plan B: One of the best parts about the beginning of the new year is the excitement in the potential of the future. Right now, while you are reveling in the open road of the future and its upside, consider how you’d weather a storm. Do some planning for business continuity and disaster recovery. Don’t just jump headlong requiring these plans of employees who haven’t done this before. Base your plans on sound fundamentals such as relative impact determined by a Business Impact Analysis (BIA).

Review your firm’s security policies: If your policy manual hasn’t been updated within the last year, it’s time.

Create a workforce privacy and security training program for staff: Such a program would be offered regularly, included in the training for new hire and updated whenever new infrastructure or applications are implemented, or when legal requirements change. Don’t start from scratch; get help and referrals from others in your business. RISC has been educating regulated workforce members regularly delivering programs to industry and accreditation bodies. Already have a good staff training program? A RISC Management policy effectiveness assessment can identify whether your staff is knowledgeable about the content, requirements, and location of your organization’s policies. Are team members following your policy requirements when nobody is looking? RISC can help you to find out.

Invest in a data loss prevention solution: There are many ways to protect regulated, sensitive or confidential employee, customer or company information and safeguard intellectual property across electronic communications channels, including email (SMTP), Web (HTTP), Secure Web (HTTPS) and File Transfer Protocol (FTP) plus online applications and services such as WebMail, social networks, blogs and Wikis. Various tools offered by RISC Management enable healthcare organizations, financial institutions, banks, universities, and any concerned, responsible, business of any size, to effectively monitor, enforce and audit the loss of confidential data.

Spend two minutes learning more about the latest Omnibus Rule Changes to improve privacy protections and security safeguards in the Health Insurance Portability and Accountability Act of 1996 and how RISC Management can help you tackle those changes head-on. Click on https://riscconsulting.com/2013/09/23/final-omnibus-rule-changes-and-how-risc-can-help/ for the video.

Don’t let fear of a data breach keep you awake at night: Schedule a vulnerability test and learn ways you can protect your systems from the bad guys.  Run a data breach response drill to practice on a scenario so there is less panic when responding to the real thing.

Create a formal process to document and approve changes to your computer applications and operating systems: Sounds simple, but in practice, such a process can prevent chaos and unintentional security problems. Need help? RISC Management can start with a risk analysis to identify and document potential gaps, and help build a change management program.

Brush up on innovations in health information technology: Why does this matter? Modern systems typically provide better security protocols and often result in financial benefits to stakeholders. Consider attending the Healthcare Information and Management Systems Society annual conference, more commonly known as HIMSS14. It’s Feb. 23-27, 2014, in Orlando, Florida, and former Secretary of State Hillary Rodham Clinton and Aetna CEO Mark Berollini are among keynote speakers. Visit http://www.himssconference.org/ for more information.

Best wishes from RISC Management & Consulting on a Prosperous, Secure, and Compliant New Year!