Greetings from Brussels!

It has been an interesting time of late for British Airways, one of the first organizations to have a highly publicized breach in the GDPR era, and so likely to be a test case for many in the privacy ecosystem.

Last week, as you’ll undoubtedly know, BA had to notify the U.K. authorities of a serious data breach of their online systems, both to as well as the mobile app platform, after hundreds of thousands of customers' personal and financial details were stolen. The airline said the hacking activity continued — undetected — for almost two weeks, between 21 Aug. and 5 Sept., with 380,000 payments compromised. Incidentally, and as reported by BA, stolen information did not include travel or passport details.

The airline’s boss, Alex Cruz, apologized for what he says was a sophisticated breach of the firm's security systems and promised compensation, telling the BBC, "We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered."

With the GDPR now in force since May, it is mandatory for companies to report data breaches and hacking activity within a 72-hour timeframe, and, to their credit, BA complied and duly reported the breach once discovered. There have been some well-publicized cases in the past where it took more than two years to report sizable data breaches; in this instance, you have to say the new regulation is having an impact.

In a further development that could only happen post-GDPR, on Monday, SPG Law, the U.K. branch of U.S. law firm Sanders Phillips Grossman, said that it was planning to launch a 500 million GBP group action — the British version of a class-action lawsuit — unless the airline opts to settle. The firm maintains that BA has not gone far enough in seeking to compensate only those customers who have (or will) experience direct financial impact from the breach; it states that BA should be awarding customers "compensation for inconvenience, distress and annoyance associated with the data leak." Incidentally, 500 million GBP equates with 4 percent of BA’s global revenue — the maximum fine under the GDPR. SPG Law maintains that BA is liable to compensate for non-material damage under the U.K. Data Protection Act 2018, the revised version that went into effect in May, which includes but is not limited to all the GDPR requirements. The GDPR article argued by SPG Law is Article 82 — "Right to compensation and liability" — which states, "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered." Whether the lawsuit actually sees the light of day, we will have to wait and see.

In the meantime, BA says its investigation continues and that it is cooperating with the police and cyber specialists. The ICO has said its inquiries into the breach are continuing. Busy times for the BA privacy team, no doubt. And something to watch for organizations still trying to understand how the GDPR has changed the privacy landscape.

Paul Jordan
Managing Director
IAPP Europe

Save 100 euros now!


Register NOW and save 100 euros on the IAPP Europe Data Protection Congress 2018. Join Europe’s data protection community in Brussels this November to collaborate, strategize and regroup after one of the biggest years in privacy.
IAPP Europe Data Protection Congress 2018
Certification Training, 26-27 November
Workshops, 27 November
Conference, 28-29 November | Brussels

Early Bird Registration


Under GDPR, large-scale data processing is considered ‘high risk’

Under the EU General Data Protection Regulation, companies are expected to make an assessment of their processing operations, the types and volume of data they are processing, and to decide what technical and operational measures might be required to mitigate possible risks to the rights and freedoms of data subjects. Documenting what you need to do and want to do makes sense, but doing so on the basis of a risk-based approach offers some challenges. What should be considered risky processing? For one, large-scale data processing, Paul Breitbarth writes in this article for The Privacy Advisor. 
Full Story


Court rules GCHQ bulk collection violated human rights

In a long-awaited decision out of Strasbourg, France, the European Court of Human Rights has ruled the U.K. Government Communications Headquarters bulk intelligence program violated privacy, the Guardian reports. In a detailed decision, the ECHR looked at three aspects of surveillance: bulk collection of digital communications, the sharing of intelligence with other agencies, and obtaining communications data from telecommunications companies. In a five-to-two vote, the judges found that the GCHQ's bulk intelligence operations violated Article 8 of the European Convention on Human Rights due to insufficient safeguards. The GCHQ did not, however, violate Article 10 when it shared intelligence with other foreign governments. The legal challenge initially came in the wake of the Snowden revelations and was brought by 14 human rights organizations. 
Full Story


UK government offers guidance on potential of no Brexit deal

The U.K. Department for Digital, Culture, Media & Sport has released guidance on the possibility of the U.K. and the European Union failing to reach a Brexit agreement. The department states the likelihood the two sides do not reach a deal is low; however, the U.K. government still would take the proper steps needed in the absence of an agreement. The agency said data transfers with EU organizations will depend on whether the U.K. maintains its adequacy standing. Should the U.K. not receive the sign-off from the EU, British companies will need to work with their EU counterparts to find legal measures to transfer information, with the most likely avenue involving standard contractual clauses.
Full Story


Italian decree for GDPR implementation published

A blog post for Hogan Lovells reports on the Italian Legislative Decree, published 4 Sept. in the Official Journal, which sets forth national implementation for the EU General Data Protection Regulation. The article provides a summary of the most relevant provisions that integrate the GDPR, adding that while it maintains the structure of the former Legislative Decree, it has been amended and integrates provisions that were left to member states to include. The new decree will take force 19 Sept. 2018 and will govern the transition of privacy regimes.
Full Story


MEPs approve new data protection rules for EU institutions

Members of the European Parliament approved new data protection rules that will ensure a strong framework for data processing in EU institutions, bodies and agencies, updating existing rules to be in line with the EU General Data Protection Regulation and the proposed e-privacy rules. The new rules empower the role of the European Data Protection Supervisor to ensure the application of the rules, as well as the ability to fine EU institutions or bodies that fail to comply. While the new rules were approved, they require the formal approval of the council and will take effect 20 days after publication.
Full Story


What might a GDPR cease-processing order look like?

As part of an enforcement discussion at the IAPP Global Summit this spring, Irish Data Protection Commissioner Helen Dixon noted that much attention has been focused on the fining powers data protection authorities possess, while in some cases, the appropriate action might be a cease-processing order, which could be just as disruptive to an organization's activities. Cease-processing orders are not new remedies under the EU General Data Protection Regulation. Ireland’s former commissioner, Billy Hawkes, put one in place against the company Loyaltybuild in 2013 following a data breach. So what was the Loyaltybuild case all about, and how might organizations face similar outcomes under the GDPR? Miranda Jang, CIPM, reports in this article for The Privacy Advisor.
Full Story



European Commission proposes fining groups for misusing voter data

The European Commission released a proposal penalizing groups for misusing voter data to influence elections, Reuters reports. The commission is taking steps to avoid a repeat of the Facebook-Cambridge Analytica scandal, while ensuring next year’s elections are not affected by malicious actors. The proposal is aimed toward political parties and foundations and could result in fines as high as 5 percent of their annual budget if they were found to have violated data protection rules in order to impact election results. “We must protect our free and fair elections,” said European Commission President Jean-Claude Juncker, who called for “new rules to better protect our democratic processes from manipulation by third countries or private interests.” Editor's Note: Colin Bennett recently discussed the use of personal data by political parties in a post for Privacy Perspectives.
Full Story


Why privacy compliance matters to a company’s valuation

The EU General Data Protection Regulation grabbed the world’s attention with its unprecedented (potential) fines since it came into effect 25 May. However, its true impact goes much further, as it also empowers the regulators to issue corrective actions that can, in turn, disrupt a company’s core activities. The reality now is that complying with privacy laws such as the GDPR plays an increasingly significant role in a company’s valuation, Qian Li Loke, CIPP/A, CIPM, FIP, and Luis Alberto Montezuma, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, write in this article for The Privacy Advisor.
Full Story


CJEU hears arguments in right-to-be-forgotten case

Seven hours of arguments were presented Tuesday to the Court of Justice of the European Union on a right-to-be-forgotten case involving Google and France's data protection authority, the CNIL, Politico reports. The CNIL has requested that Google apply delisting decisions worldwide, but Google says that would allow oppressive nations to apply their laws internationally. Jean Lessi, secretary-general of the CNIL, said, "The proposed solution from the CNIL may be a bold one. ... But it's based on a bold decision by EU officials." However, Patrice Spinosi, a lawyer representing Google, said, "The worldwide delisting system proposed by the CNIL is completely untenable." If the court decided on behalf of the CNIL, "It would be disastrous, not just for European citizens but for all internet users," argued Emmanuel Piwnica, a lawyer for Microsoft.
Full Story 


European Commission sides with Google in RTBF case

As the Court of Justice of the European Union heard arguments in the right-to-be-forgotten case between Google and France’s data protection authority, the CNIL, the European Commission ended up siding with the tech company on parts of the issue, The Wall Street Journal reports. The commission, as well as countries such as Ireland and Greece, believes a global application of the right to be forgotten would end up stretching EU privacy laws past their intended design. While the commission agreed with Google on this point, the two entities disagreed over whether the tech company should use geolocation technology to remove results from all its websites if the person conducting the search is within the EU. (Registration may be required to access this story.)
Full Story


British Airways suffers data breach affecting 380K transactions

British Airways has suffered a data breach affecting 380,000 transactions, BBC News reports. The airline revealed personal details and financial information were compromised during the breach; however, passport and travel details were not among the stolen information. British Airways Chief Executive and Chairman Alex Cruz apologized for the breach, adding the company will compensate anyone who suffers a fraudulent transaction stemming from the incident. In a post on their site, British Airways states the breach took place from 21 Aug. to 5 Sept. and that the airline has reported the cyberattack to the U.K. Information Commissioner's Office.
Full Story


Adversaries injected credit card-skimming malware into airline website

Ars Technica reports malicious JavaScript code was likely behind the data breach suffered by British Airways. RiskIQ Head Researcher Yonathan Klijnsma pointed out the script used in the attack is associated with Magecart, a "threat group" that some suspect was behind the Ticketmaster UK data breach earlier this year. “This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” Klijnsma said. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Meanwhile, data recovery company Veeam suffered a breach exposing more than 440 million email addresses.
Full Story

Sponsored Content

When to automate your privacy program?

1. Volume: Do you have sufficient volumes of privacy management activities that justify the acquisition of a software solution?
2. Complexity: How complex are your business processes? Complexity could come in the form of vast types of processing activities, multiple locations of business, high-risk technical processing, and complicated legal obligations. When the complexity is high, a good software solution can help address your needs.
Automate privacy management activities justified by volumes or complexity.

Learn More


EC's approval of Apple-Shazam could lead to similar deals

The European Commission’s approval of the Apple-Shazam deal could open the door for similar proposals involving companies holding large amounts of data, Bloomberg Law reports. By approving the Apple-Shazam arrangement, deals such as one the between Microsoft and GitHub are more likely to move forward, as regulators are gaining a better understanding of the ways companies are using information. One of the major sticking points for the commission was that Apple and Shazam are not direct competitors, meaning a merger between the two companies will not directly harm any competitors.
Full Story


Aligning Morocco's privacy protections with the GDPR

In July, the Moroccan data protection authority held a joint seminar with the Delegation of the European Union to Morocco to present the outcomes of a study they conducted on opportunities to bring the Moroccan legal framework for the protection of personal data closer to the EU General Data Protection Regulation. In this Privacy Tracker post, Hind Chenaoui, CIPP/E, CIPM, offers a look at why this alignment is important for Morocco, the steps the nation has already taken, and the findings of the study. The seminar "aimed to inform the ministries, concerned public institutions, the private sector, and the civil society of the areas of convergence and divergence" between the laws, writes Chenaoui, and outlined three possible scenarios for revising the law.
Full Story

Sponsored Content

Free, half-day GDPR implementation workshops — 4.5 IAPP CPE credit hours

Registration open for global series of free workshops to meet the demands of privacy professionals requesting focused, hands-on time diving into the operational details and best practices associated with GDPR and ePrivacy Directive. Workshops include structured educational sessions, peer-led discussions, networking, and qualify for 4.5 CPE credit hours.

RSVP Today at


Roundup: Bahrain, Morocco, Russia, US and more

In this week’s Privacy Tracker legislative roundup, read about Morocco's new privacy regulations set to take force 13 Sept. and the requirements of the Kingdom of Bahrain's new national data protection law. In Russia, Federation Council members introduced a bill that would enhance the security of how fiscal data is handled. In the U.S., the House passed tech and cyber bills last week, including the Cyber Deterrence and Response Act, and the House Financial Services Committee introduced new data breach notification legislation for financial institutions. Read about this and more in this week’s Privacy Tracker global legislative roundup. (IAPP member login required.)
Full Story


How to enable effective privacy operations with functional requirements

In the run-up to the EU General Data Protection Regulation’s effective date, many businesses that thought they were prepared to meet their new GDPR obligations quickly found out more would be required than updated policies and procedures. It’s really about active, cross-functional collaboration between privacy and information technology. In this article for The Privacy Advisor, Dan Goldstein, CIPP/E, CIPP/US, and Shawna Doran, CIPP/E, CIPP/US, have some advice on how businesses struggling can operationalize key compliance components via “functional requirements” guidance for privacy and IT teams.
Full Story

MetaCompliance_IAPP Banner-Roadshow_121817


Podcast: How 57 women won a trip to DEFCON, and why it matters

Ask anyone who frequents DEFCON, known as a sort of summer camp for hackers, and they'll tell you the attendee roster at the wildly popular white hat event is overwhelmingly male. Rachel Tobac, chair of the board at Women in Security and Privacy, has been going to DEFCON to compete in Social Engineering Capture the Flag for the last three years, and winning. She has gained some notoriety for it, including appearing on this podcast twice before. But noticing she was very much in the minority as a female attendee, she decided she didn't just want to go to DEFCON this year; she wanted to bring women working in privacy and security with her — an effort that initially saw two women winning sponsorships to attend ended in 57 actually boarding a flight to Vegas. In this episode of The Privacy Advisor Podcast, Tobac tells us how it happened and why it matters. Editor's Note: Check out Tobac's first two podcasts to hear about how she won big at DEFCON here and here
Full Story


IAPP welcomes first wave of Privacy Law Specialists

On 10 Aug., 27 IAPP members were named Privacy Law Specialists. The designation carries with it an acknowledgment that a candidate has successfully demonstrated a knowledge of relevant privacy laws, regulation and technology; a commitment to staying ahead of new developments in the field; and substantial time devoted to practicing law related to safeguarding personal information. In this article for The Privacy Advisor, Molly Hulefeld talks to some members of the inaugural class on why the distinction is important to them.
Full Story

Sponsored Content

Are you ready for “Operational GDPR”? We are!

Your GDPR remediation effort has been a success. Now it’s time to focus on operational compliance. What will your customers see and experience? Whether your legal basis is consent or legitimate interest, as personal data is collected from customers, GDPR mandates that data subjects be provided with transparent dialogue offering clear and plain language notice, simple SAR and RTBF rights presentation, and granular logging and reporting of activity and consent. ConsentCheq is solely focused on GDPR operational compliance, elegantly handling your enterprise’s complex day-to-day data subject touchpoint activity. PrivacyCheq delivers consent management solutions for enterprise, SME, retail, hospitality and IoT, across website and mobile platforms.

Schedule a Live Demonstration Today


IAB submits Privacy Shield feedback

The Interactive Advertising Bureau has fulfilled a request from the European Commission by sending feedback on the implementation and operation of the EU-U.S. Privacy Shield agreement for the digital advertising industry. The IAB's comments will be included in the second annual review of the agreement taking place this October. The group focused on the importance of trans-Atlantic data flows for digital advertisers, the reliance of EU and U.S. companies on a diverse supply chain crossing the borders of both areas, and Privacy Shield's importance for small- and mid-sized businesses. The IAB found 43 percent of its member companies participating in the agreement have fewer than 250 employees.
Full Story


Op-ed: Ad tech misleading EU as ePrivacy Regulation revs back up

In an op-ed for EURACTIV, Johnny Ryan explains how the ad tech industry had misled the European Parliament and Council as debate over the draft ePrivacy Regulation revs back up. Ryan cites a report produced by IAB Europe where the group stated 10.6 billion euros were generated by behavioral advertising products for publishers without noting that most of the sum came from Google and Facebook, which Ryan said “incorrectly inflated the benefit that publishers derive from permitting ad tech companies to surveil their visitors” as the ad tech industry continues to support cookie walls. “The ad tech lobby hopes to exploit the forthcoming ePrivacy Regulation as an opportunity to undo the GDPR’s protections against cookie walls,” Ryan writes.
Full Story


Complaints filed with European regulators against ad tech industry

Browser maker Brave has filed complaints with the Irish Data Protection Commission and the U.K. Information Commissioner's Office for an alleged ongoing data breach that impacts nearly all web users, according to a blog post from Brave Chief Policy Officer Johnny Ryan. The complaints were filed by Ryan, Open Rights Group Executive Director Jim Killock and University College London's Michael Veale. Ryan said, “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply.” He added that the complaints “should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR.”
Full Story


Vendor's recharged solution aims to help email marketing compliance

As privacy regulations continue to emerge around the world, privacy technology solutions have been sprouting up in response to help organizations tackle a variety of compliance requirements. One vendor, however, has made it its mission to offer a tool for a department it claims has not seen much love from privacy tech: email marketing. Munvo has released a revamped version of its campaignQA solution to fill the need, allowing companies to create rules for marketing campaigns to ensure they are not violating laws, such as the EU General Data Protection Regulation or Canada’s Anti-Spam Legislation. IAPP Associate Editor Ryan Chiavetta, CIPP/US, spoke with Munvo Software Development Manager Brad Penwarden about the creation of campaignQA and why email marketing compliance tools had yet to make the big time.
Full Story


Venture capitalists increasingly investing in privacy tech

The Information reports on increased investment by venture capitalists into consumer-facing and enterprisewide privacy-technology solutions. In 2017, venture capitalists invested more than $497 million in privacy-related startups, which, according to the report, more than triples the amount invested five years ago. Through the first three quarters of 2018, venture capital firms have invested more than $506 million. Bain Capital Ventures Managing Director Enrique Salem said, with privacy laws proliferating and increased privacy awareness, "I think those things coming together, plus the amount of data that everyone is using every day, makes it an area ripe for investment." BigID Chief Executive Officer Dimitri Sirota said investors are "paying attention," adding, "I would even say it is feverish." (Registration may be required to access this story.) Editor's Note: The IAPP Privacy Tech Vendor Report lists more than 150 vendors in the space.
Full Story


How companies are implementing blockchain to address business concerns

CNBC reports on a growing trend of incorporating blockchain technology and cryptocurrency to address demonetization, data privacy and fraudulent activity in companies’ business models. The article cites Current Media, which entered the cryptospace to address pay efficiency, and Verasity, which uses blockchain to filter fake news content, as companies embracing technology to address business concerns. "Blockchain is going to change the world, if you have connectivity," John Lyotier, chief executive officer of blockchain-connecting company RightMesh, said. "Without blockchain technology and communication, cryptocurrency wouldn't reach its potential."
Full Story


Research shows apps share location data without user knowledge

Ars Technica reports on how some iOS and Android apps broadcast precise location data with developers and, in some cases, share the information via unencrypted formats. Recent research released by Sudo Security’s Guardian mobile firewall team supported this finding, highlighting 24 apps in a random sampling of the App Store’s top free offerings shared location data with firms without users’ knowledge. The article states that while GPS-based location services can be easily managed on iOS devices, other methods for collecting geolocation are less obvious.
Full Story


Examining ethical concerns with sharing financial data to combat crimes

A panel at the International Symposium on Economic Crime at Cambridge University discussed the ethical concerns surrounding banks, regulators and law enforcement agencies sharing information to deter crimes, The Wall Street Journal reports. Data-sharing agreements have popped up in countries all over the world, including the U.K., U.S., Singapore, Australia, Hong Kong and the Netherlands, in order to stop money laundering and terrorism financing. “Do we really want vast amounts of data in the financial system to be accessible to law enforcement investigators? Is there public consent for this development in intelligence gathering capability? How robust are the accountability and governance processes?” Head of the Future Financial Intelligence Sharing Program Nick Maxwell said. (Registration may be required to access this story.) 
Full Story


App looks to set standard for virtual credit card numbers

Capital One Senior Vice President Tom Poole has seen as consumers become more comfortable with e-commerce, a parallel increase in payment card fraud has also emerged. In order to combat fraud, Capital One has developed Eno, an app its customers can use to conduct online transactions using virtual credit card numbers in order to ensure their main accounts are not impacted should an online retailer suffer a data breach. Poole spoke with IAPP Associate Editor Ryan Chiavetta, CIPP/US, on the development of the app, the decision to eschew "burner cards," and the ways Eno could be useful for larger corporations.
Full Story


Op-ed: Using surveillance to ID criminals is flawed

In an op-ed for Bloomberg, Leonid Bershidsky explains why the use of surveillance cameras to identify a pair of Russian military intelligence agents who attempted to assassinate former Col. Sergei Skripal highlights flaws when using the technology to identify culprits. While the U.K. was eventually able to identify the suspects, the process took months as law enforcement agencies pored over massive amounts of footage. “If everyone is tracked, no one is, so the cameras can only perform their function so late after the fact that even those criminals who are identified are less likely to be apprehended,” Bershidsky writes.
Full Story


Apple to build online portal for law enforcement data requests

In a letter to Sen. Sheldon Whitehouse, D-R.I., Apple announced it is developing an online portal that will allow law enforcement officials to submit and track requests for data and obtain responses from Apple, CNET reports. The company said the portal is expected to be live by the end of 2018 and will allow enforcement agents to apply for “authentication credentials.” In the letter, Apple said it was eager to adopt recommendations made by the Center for Strategic and International Studies report related to cybersecurity and the “digital evidence needs” of enforcement agencies. Apple regularly produces transparency reports, detailing requests for data from law enforcement, as well as private organizations.
Full Story


Facial-recognition technology gaining greater foothold in consumer tech

While Apple’s Face ID launched facial-recognition technology into the homes of many, Wired reports on how the technology has gained an even greater footing in consumer tech and explores the convenience and consequences associated with it. "Facial recognition is a tool, and it can be used in a variety of different ways," Clare Garvie, a privacy lawyer with Georgetown Law’s Center on Privacy & Technology, said. "We can be comfortable with some uses of the tool — like, to help us unlock our phones. That doesn’t mean we should be comfortable with all uses, like surveillance by law enforcement." Recently, Microsoft President Brad Smith called for greater regulation of the technology and said, "If we move too fast with facial recognition, we may find that people’s fundamental rights are being broken." (Registration may be required to access this story.)
Full Story


New iPhones replace TouchID with FaceID

At its annual marketing event in Cupertino, California, Apple revealed the company’s new iPhones will no longer feature TouchID, Motherboard reports. Phil Schiller introduced TouchID as a replacement for the “cumbersome passcode,” noting “half of smartphone users” did not set up a passcode. The new iPhone XS, XS Max, and XR, all released at the annual event, only use FaceID, Apple's facial-recognition technology, and are unlocked by swiping up.
Full Story


New product offers conversational AI platform

VentureBeat reports on how Artificial Solutions' Teneo product enables customers without coding knowledge to build multichannel, conversational artificial-intelligence solutions customized to their particular needs and preferences. To date, the company has raised more than $18.7 million in funding, and the most recent release, Teneo 5, reportedly offers increased data reporting, analysis and anonymization features. Artificial Solutions Chief Marketing and Strategy Officer Andy Peart said, “With Teneo, these organizations can implement advanced conversational AI applications across all platforms, devices, and operating systems, and benefit from extensive data analysis without contravening regulations such as the GDPR.”
Full Story

All Current Job Listings


Suivez la formation au RGPD en français ce mois de septembre. Notre cours de 4 jours à Paris recouvre la formation sur la protection des données européennes et la gestion de programme de protection de la vie privée de l’IAPP.
Formation au RGPD en 4 jours
Paris, 24-27 septembre


What does it mean to practice data privacy law in the GDPR era? Hear legal experts unravel that question at the Privacy and Data Protection Law Forum, new to the IAPP Europe Data Protection Congress 2018. Hear from a distinguished panel of experts at this information-packed, half-day event 27 Nov.
Privacy and Data Protection Law Forum
27 November | Brussels

Learn More | Register

Upcoming Events

18-19 September
IAPP Data Protection Intensive: Deutschland 2018
Munich, Germany

18-19 October
Privacy. Security. Risk. 2018
Austin, TX, U.S.

28-29 November
IAPP Europe Data Protection Congress 2018

Copyright© 2000–2021 International Association of Privacy Professionals.
The views in this eNewsletter, if any, are those of the authors and are not necessarily those of the IAPP.

75 Rochester Ave., Suite 4, Portsmouth, NH 03801 USA +1 603.427.9200

This email was sent by: INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS, 75 Rochester Ave., Portsmouth, NH 03801 USA +1.800.266.6501. This email was sent to you at You received this email because you are a member of International Association of Privacy Professionals (IAPP) or you provided your email address to us. We respect your right to privacy; view our privacy statement.

Manage Email Subscriptions


You cannot unsubscribe from IAPP listserv emails via this link. To unsubscribe from the IAPP Privacy List or IAPP Women Leading Privacy List, please use the unsubscribe links at the bottom of those emails.