PRIVACY
COMPLIANCE

 

Tech DNA bridges the gap between tech and law to accurately identify privacy violations and risks.

ACTUAL PRIVACY COMPLIANCE STARTS WITH THE TECH ITSELF.

We look at data in, data processing, data storage, and data out.  We look at database schemas, API’s, messaging queues, pipelines, caches, logs, secrets management – you name it, we look for it.  In the code itself.

parallax background

BRIDGING THE GAP

Once we fully understand the data a system has and processes, we then apply the appropriate regulatory regime or regimes.

GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR imposes a number of technical requirements on software (including ML/AI) all of which we review: privacy by design and default; DPIA technical accuracy; legal basis mapping and compliance including consent demonstrability, consent fidelity, denied consent degradation robustness; by column and by row data classification; controller / processor nomination including accidental controller processing, security reasonableness; data sovereignty and region management including HA/DR implications; data location inventories; dataset ageing and pseudonymization.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
Global Clients/Targets For global clients subject to the GDPR, we evaluate only the additional regulatory factors the CCPA brings above GDPR, specifically the addition of “household” to personal information, the password encryption safe harbor standard, and the extremely broad definition of “sale” and mandatory home page opt-out.

US-only Clients/TargetsFor US-only projects, in addition to the above we assess the full CCPA, including identification of all data collected and how stored and tagged, notice tracking, consent tracking, reasonable and proportionate business purpose validation, consumer rights compliance and propagation, non-discrimination compliance, and value provided by data for financial incentive data usage.
HIPAA SECURITY & PRIVACY RULES
HIPAA’s Privacy and Security rules impose a number of administrative, physical and technical safeguards on software. We assess HIPAA compliance of “Business Associates” – the HIPAA term for SaaS and other technology providers – across a range of relevant technical areas: understanding of PHI and which data and dataset qualify as PHI, deidentification under either safe harbor or expert determination standards, risk analysis and risk management technical accuracy and implementation history, compliance with HIPAA itself and HIPAA require Business Associate Agreements including data usage allowances, covered entity compliance support and/or impairment, emergency mode procedures and breach notification preparedness.
OTHER PRIVACY REGIMES
We also evaluate Children's Online Privacy Protection Rule (COPPA) Family Educational Rights and Privacy Act (FERPA) FERPA SOX Indiana's Biometric Information Privacy Act (BIPA)

Integrated

Part of Full Risk Assessment


We assess the technical privacy compliance of software or machine learning algorithm as a standalone assessment.

Standalone

Privacy Risk Only


We assess the technical privacy compliance of software or machine learning algorithm as a standalone assessment.