Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Anushka N. Rahman

With millions of Internet of Things (IoT) devices from phones to smart home censors flooding the market every year, effective cybersecurity to help mitigate risks to devices is vital. New guidance from The National Institute of Standards and Technology (NIST), IoT Non-Technical Supporting Capability Core Baseline (NISTIR 8259B), is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

The guidance notes that “both device cybersecurity capabilities and non-technical supporting capabilities are vital to customers’ abilities to achieve their needs and goals.” While IoT devices are typically secured through technological capabilities, NISTIR 8259B focuses on the non-technical supporting capabilities that “that manufacturers or third parties take in support of the initial and ongoing security of IoT devices.” The guidance identifies four primary non-technical areas of cybersecurity:

  • Documentation, which ensures that customers and third parties have the information they need to ensure their device and its data are secure;
  • Information and query reception, which helps businesses respond to questions customers and others may have about a device’s security and operation;
  • Information dissemination, which ensures that customers are kept in the loop about any newly discovered security issues or device or related systems updates; and
  • Education and awareness, to assist customers and others in understanding how to secure and protect IoT software, hardware, and systems.

The guidance contains several tables that lay out detailed steps of common actions for organizations to consider taking and encourages organizations to add other non-technical capabilities where needed. NIST also updated its IoT catalog for device technical cybersecurity capabilities and supporting non-technical capabilities.

As IoT devices continue to rise in popularity, it is vital for manufacturers to ensure that their products come designed not only with effective cybersecurity technology but a plan for communicating with customers and third parties, keeping detailed records, and efficient methods for responding to questions. NISTIR 8259B gives organizations a helpful place to start, and this and other NIST guidance on IoT security may be relevant to the ongoing NIST cybersecurity labeling initiative.

 

Photo of Sheila A. MillarPhoto of Anushka N. Rahman

On August 31, 2021, the National Institute of Standards and Technology (NIST) released its draft white paper, DRAFT Baseline Security Criteria for Consumer IoT Devices. The draft white paper is in response to Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” which requires NIST, in collaboration with other agencies, to educate the public on Internet-of-Things (IoT) security. The draft white paper proposes baseline security criteria for consumer IoT products as part of a cybersecurity labeling program and builds on NIST’s Secure Software Development Framework (SSDF) and other NIST documents. NIST is not establishing its own labeling program but instead seeks to identify minimum requirements for programs, which it must do by February 6, 2022.

NIST’s summary sets out the timelines and objectives, along with some general principles. Labeling should:

  • Encourage innovation in manufacturers’ IoT security efforts, leaving room for changes in technologies and the security landscape.
  • Be practical and not be burdensome to manufacturers and distributors.
  • Factor in usability as a key consideration.
  • Build on national and international experience.
  • Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.

The proposed labeling criteria set out in the draft white paper builds off of NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline. NISTIR 8259B itself is new guidance released last month, and is intended to help manufacturers identify the non-technical capabilities they need to support device and system cybersecurity controls and to communicate with customers and third parties effectively. NISTIR 8259B is one of four documents recently released by NIST to help manufacturers and federal agencies manage cybersecurity, which include IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213), Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline (NISTIR 8259C), and Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government (NISTIR 8259D).

NIST hosted an informative workshop on the proposed labeling criteria and related issues as previously announced on September 14–15. The workshop featured a variety of stakeholders, including representatives from federal agencies with experience in labeling programs, such as the Environmental Protection Agency (EPA), Federal Trade Commission (FTC) and Consumer Product Safety Commission (CPSC), as well as international experts. The workshop included discussions on how to define a “consumer,” what should be in scope for a labeling program, limits of a labeling program, and achieving global harmonization, among many other topics. Recurring themes included assuring that a cybersecurity label avoids conveying a false sense of security and the need to keep labels simple.

Comments on the draft white paper are due October 17, 2021, and can be submitted to labeling-eo@nist.gov. NIST has already received feedback on important details, which were discussed during the workshop. With the growth of IoT devices, an IoT labeling scheme will likely have significant impact on many industry sectors, so interested stakeholders may wish to consider submitting comments.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On September 13, 2021, President Biden nominated Alvaro Bedoya for Commissioner of the Federal Trade Commission (FTC) to replace outgoing FTC Commissioner Rohit Chopra. Earlier this year, President Biden nominated Chopra to head the Consumer Financial Protection Bureau (CFPB). If confirmed, Bedoya would round out the slate of FTC commissioners and solidify the agency’s Democratic majority.

Bedoya is the founding director of the Center on Privacy and Technology at Georgetown University Law Center, where he is a visiting professor of law. He has a background in privacy law and policy, with a special interest in facial recognition technology. Bedoya’s work on facial recognition technology led the National Institute of Standards and Technology (NIST) to conduct the first comprehensive bias audit of face recognition algorithms and paved the way for a federal law that requires bias testing in airport face recognition systems, Section 1919 of the FAA Reauthorization Act of 2018. Previously, Bedoya served as the first chief counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

Naming a nominee with a strong background in privacy to serve on the FTC is consistent with the Administration’s support for strengthening privacy and cybersecurity. This commitment is reflected in the Build Back Better Act, which earmarks $1 billion to create a new privacy bureau within the FTC dedicated to stopping unfair and deceptive acts and practices related to privacy violations, data security incidents, identity theft, and other data abuses.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.

According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.

When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.

Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).

Minimize Risk

The joint cybersecurity advisory offers the following guidance to minimize attacks:

  • Establish a baseline understanding of the network architecture and routine activity;
  • Review data logs to compare standard performance to suspicious or anomalous activity;
  • Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;
  • Use intrusion prevention systems and automated security alerting systems;
  • Employ honeytokens to track data outside the network; and
  • Use cyber hygiene services.

Mitigation

The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:

  • Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;
  • Make an offline data backup;
  • Advise individuals to not click on suspicious links;
  • Secure and monitor RDP or other potentially risky services;
  • Update the organization’s operating system (OS) and software;
  • Scan for vulnerabilities;
  • Require strong passwords;
  • Use multifactor identification;
  • Secure network(s): implement segmentation, filter traffic, and scan ports;
  • Secure user accounts; and
  • Implement an incident response plan.

In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.

The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) took the unprecedented step of removing one of the approved Safe Harbor organizations under the Children’s Online Privacy Protection Act (COPPA) for failing to provide effective monitoring and assessment of its member companies’ websites, as required under the COPPA Rule. Earlier this year, Commission staff warned Aristotle International, Inc., whose Safe Harbor program was approved in 2012, that it was concerned about Aristotle’s monitoring practices and was considering withdrawing approval. On June 1, Aristotle informed the FTC that it was leaving the COPPA Safe Harbor program, and on August 4, the FTC announced that it had removed the company from the list.

Pursuant to Section 312.11(a) of the COPPA Rule, industry groups or other persons can apply to the FTC for approval of self-regulatory program guidelines. Approved programs must provide substantially the same or greater protections for children as those outlined in the COPPA Rule. Businesses that fully adhere to an approved COPPA Safe Harbor program will be deemed in compliance with the COPPA Rule for enforcement purposes under § 312.11(g), which provides incentives to businesses to support self-regulatory programs.

The August 4 press release announcing Aristotle’s removal from the COPPA Safe Harbor list included a troubling comment by the FTC’s Bureau of Consumer Protection’s Acting Director, Sam Levine, that may spell changes ahead for Safe Harbor programs: “There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.”

While the Acting Director’s statement reflects a concern over conflicts of interest as it pertains to Aristotle, it also appears to question the role, nature, and purpose of self-regulatory programs, as reflected in COPPA and the COPPA Rule. Antipathy towards the notion of industry self-regulation is reflected also in recent proposed legislation introduced by Rep. Castor (D- FL). But self-regulatory advertising and privacy programs, which are commonly funded by the “industry groups” authorized to apply for recognition under COPPA, provide enormous benefits to consumers, businesses, and regulators, as the FTC has recognized for decades.

Businesses play an essential role in the success and effectiveness of self-regulatory programs. Their financial support and input help to ensure that the organizations that serve them meet their respective legal compliance responsibilities. Self-regulatory programs not only help check on a participant’s compliance but also serve as a vehicle for businesses to air practical concerns about compliance burdens, assess implications of technological advancements and consumer interfaces, and put forward innovative ideas that can make compliance easier and less expensive. The Safe Harbor provisions of COPPA and other self-regulatory frameworks are intended to promote flexibility and efficiency by allowing businesses to tailor their compliance programs and to reward participants’ good faith efforts to comply with the law.

As the FTC continues to discuss potential changes to the COPPA Rule in its ongoing review, initiated in 2019, FTC oversight of COPPA Safe Harbor organizations is sure to be discussed. In his statement on a 2020 notice accepting a proposed consent agreement with Miniclip for falsely representing it participated in a COPPA Safe Harbor organization, Commissioner Rohit Chopra suggested a number of possible changes to the Safe Harbor framework. Some of these suggestions are already reflected in the COPPA Rule. For example, the Rule requires that Safe Harbor organizations monitor and assess members’ adherence to COPPA and their own privacy notices and provides for revocation of approval.

If a COPPA Safe Harbor organization fails to adhere to applicable rules, or neglects to exercise proper oversight of its members, it can and should be sanctioned by the FTC as a violation of the Rule. However, the assumption underlying the criticism that industry funding of self-regulatory programs necessarily removes their independence is contradicted by more than twenty years of largely successful COPPA Safe Harbors and has implications for other longstanding privacy and advertising self-regulatory programs and dispute resolution mechanisms. Foreclosing industry-led Safe Harbor organizations from exploring other revenue options or programs, as some have suggested, or forcing public disclosure of all documents and interactions with participants, will undermine the usefulness and value of the Safe Harbor process. Careful thought should be given to how to best assure that COPPA Safe Harbor organizations fully comply with their oversight responsibilities under COPPA while maintaining appropriate incentives to attract business participants and maintain the financial viability and independence of the Safe Harbor organization.

Photo of Sheila A. Millar

The Children’s Advertising Review Unit (CARU), a division of BBB National Programs, recently updated its Self-Regulatory Guidelines for Children’s Advertising. Important updates include:

  • To align with the Children’s Online Privacy Protection Act (COPPA), the Guidelines now apply to national advertising primarily directed to children under the age of 13 instead of under 12, regardless of the medium involved.
  • The Guidelines outline criteria used to assess whether a national ad is primarily directed to children.
  • The Guidelines confirm that placement or integration of a product, service, character, or brand in editorial, educational, entertainment, or other non-commercial content is not within scope unless it constitutes an endorsement.
  • The Guidelines respond to the rise of influencer marketing by incorporating principles of the FTC Guidelines on Endorsements and Testimonials.
  • A new section specifies that in-app and in-game advertising may not use unfair, deceptive, or other manipulative tactics to encourage such purchases, and requires that methods for exiting an ad are “clear and conspicuous.” Games and apps with in-game purchases must make clear that such transactions involve real currency.
  • Reflecting the growing societal focus on diversity and inclusion, another new provision of the Guidelines urges advertisers to refrain from depicting or encouraging negative social stereotyping, prejudice, or discrimination.
  • The privacy section of the previous version of the Guidelines has been removed and published separately.

The new Guidelines take effect January 1, 2022.

Photo of Sheila A. MillarPhoto of Taylor D. JohnsonPhoto of Anushka N. Rahman

The circular economy. Sustainability. Single-use plastics bans. Marine litter. Microplastics. Climate change. These are only some of the issues driving the demand for more “environmentally friendly” products. In recent years, we have seen a surge in product and raw material innovations designed to improve environmental performance, and companies around the world are pledging to take action to reduce their environmental impact. These product developments and business commitments encourage marketers to differentiate their offerings and operations by making claims that highlight environmental enhancements or benefits.

The uptick in environmental marketing claims is generating increased attention from class action lawyers and regulators, and false advertising claims are one of the fastest-growing areas of litigation in the U.S.  Click here, for a more detailed review of some of the federal, state, local and global developments that advertisers should consider when crafting environmental marketing campaigns.

Photo of Sheila A. MillarPhoto of Mike Gentine

After more than five months of silence regarding its choices to lead the U.S. Consumer Product Safety Commission (“CPSC”), the Biden Administration has now unveiled all three of its CPSC nominees in less than two weeks, with its July 13 announcement of President Biden’s intent to nominate Richard Trumka, Jr., currently General Counsel and Staff Director at the House Oversight and Investigations Committee’s Subcommittee on Economic and Consumer Policy.

On July 2, the White House had announced it would nominate Alexander Hoehn-Saric, Chief Counsel for Communications and Consumer Protection with the House Energy & Commerce, to be a CPSC Commissioner and the agency’s chairperson, and Mary Boyle, currently CPSC’s Executive Director as a Commissioner, as well.

As we wrote previously, the Commission currently has one vacant seat with another opening this October with Commissioner Elliot Kaye’s departure after his hold-over year, and a third available Commission slot with the end of Acting Chairperson Bob Adler’s term. We assumed that Hoehn-Saric and Boyle would be slotted for the open seat and Kaye’s; the White House has confirmed that assumption with its formal submission of their nominations to the Senate. That means Trumka would be slotted for Adler’s seat. Assuming the three nominees are confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) if confirmed 2027
Richard Trumka, Jr. (D) if confirmed 2028

The Senate Committee on Commerce, Science, and Transportation will need to hold one or more hearings to consider the three nominees. With the Senate’s August recess looming, a hearing in the next three weeks seems unlikely, but is possible. A Committee vote on their nominations would come after a hearing, and a floor vote some time after that. With Kaye slated to depart October 27, and Adler expressing a desire to step down rather than stay for a holdover year, we anticipate action this fall on all three nominees.

Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

Goods advertised as “Made in the USA” (MUSA) are potential money-makers for manufacturers tapping into the market of consumers who seek home-grown products. In recent years, however, the Federal Trade Commission (FTC) has investigated companies that deceptively marketed their goods as American-made, sending out warning letters, closing out investigations of companies that quickly change their advertising, and initiating more forceful enforcement action against advertisers who cannot substantiate MUSA claims. The FTC now has an additional legal basis for these investigations: a new rule that requires business making unqualified MUSA claims on their labels to prove their products are “all or virtually all” sourced and manufactured in America – or potentially pay hefty fines.

The Made in USA Labeling Rule (The Rule) codifies the Commission’s Decisions and Orders and its Enforcement Policy Statement on U.S. Origin Claims. It applies to all labels, whether they appear on product packaging or online, and includes mail order catalogs or mail order promotional materials that include a seal, mark, tag, or stamp declaring goods are “Made in the United States.”

Under the Rule, companies are barred from making unqualified MUSA claims unless they can establish that:

  • Final assembly or processing of the product occurs in the United States;
  • Significant processing that goes into the product occurs in the United States; and
  • All or virtually all ingredients or components of the product are made and sourced in the United States.

The Rule provides an exemption for companies that can show their unqualified MUA claims are not deceptive. This isn’t a new concept. However, it also empowers the FTC to pursue civil penalties of up to $43,280 per violation against companies that make false MUSA claims.

The vote to approve the Final Rule was 3-2. Voting in favor, Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Chair Lina Khan issued a statement praising the action, which is consistent with a 1994 statute codified in 15 U.S.C. § 45(a). The Rule reflects longstanding guidance and legal precedent without imposing new obligations on businesses. The three Commissioners applauded the “broader range of remedies including the ability to seek redress, damages, penalties, and other relief from those who lie about a Made in USA label” authorized by the Rule. Commissioner Christine S. Wilson dissented, saying that the Rule is overbroad and “could be read to cover all advertising, not just labeling.” She argued that the rule thereby exceeds the FTC’s statutory authority. She added: “The Supreme Court’s recent decision in AMG  has eliminated the FTC’s ability to seek equitable monetary relief under Section 13(b) of the FTC Act to compensate consumers. Thus, the temptation to test the limits of our remaining sources of authority is strong.”

In addition to its authority under the Rule, the FTC will continue to pursue deceptive MUSA advertising claims via its authority under Section 5 of the FTC Act.

One thing has been clear across several different administrations: false MUSA claims are a concern to regulators and will continue to garner enforcement attention. Companies that wish to label and/or advertise products as U.S.-made should make sure they understand the Rule as well as advertising basics, and confirm that they can substantiate express or implied MUSA claims on packaging, labeling, and advertising. False claims on labels could trigger civil penalties.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On June 4, 2021, the European Commission adopted  a new set of standard contractual clauses (SCCs) governing exchanges of personal data between data controllers and data processors and transfers of personal data from the EU to the U.S. or other countries that are not deemed to ensure adequate protection for personal data. The revised SCCs reflect new requirements for the protection of personal data under the EU General Data Protection Regulation (GDPR) and take account of the July 2020 judgment of the Court of Justice of the European Union (CJEU) in Schrems II that declared the EU-U.S. Privacy Shield framework for data transfers invalid and stipulated stricter requirements for transfers of personal data based on SCCs.

The new SCCs are designed to reflect the growing complexities of cross-border data processing and digital supply chains by offering a more flexible, if more stringent, approach that adds additional scenarios under which personal data is transferred. The new SCCs enter into force on September 28, 2021 for new contracts. There is an 18-month transition period for existing contracts based on previous sets of SCCs. The old SCCs should be replaced by the new version by December 28, 2022.

Key provisions of the new SCCs include:

Types of data transfers

The new SCCs provide different “modules” to address transfers of personal data in four scenarios. As with previous sets of SCCs, the new SCCs cover controller to controller transfers (Module One) and controller to processor transfers (Module Two). For the first time, the European Commission has also addressed processor to controller transfers (Module Three) and processor to processor transfers (Module Four).

Compliance with Schrems II

The CJEU’s decision in Schrems II upheld the validity of SCCs, but the court ruled that organizations must warrant that third countries to which data is exported provide adequate protection for personal data transfers under EU law. Organizations that cannot comply with this requirement must either introduce additional safeguards or cancel transfers.

The new SCCs appear to address this issue by allowing organizations to take a risk-based approach that assesses the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, and whether public authorities are likely to access the personal data being transferred. The clauses include notification obligations to the data exporter, and, where possible, the data subject, of a legally binding request from a public authority for personal data. Because the Schrems II decision focused on disclosure of personal data of EU residents to the U.S. government, these clauses may be particularly significant for companies facing demands from a variety of U.S. agencies for such data.

Sensitive Data

Where a transfer involves “sensitive” personal data as defined under EU law (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences) the data importer must apply special restrictions or adopt safeguards appropriate to the specific risk involved, such as restricting who can access personal data, adopting added security measures (such as pseudonymization), or other measures.

Onward transfers

Onward transfers to additional recipients in third countries are allowed only if:

  • The onward transfer is to a country with adequate safeguards in place for the protection of personal data or the third party otherwise ensures appropriate safeguards; or
  • The onward transfer is necessary for the establishment, exercise, or defense of legal claims in administrative, regulatory, or judicial proceedings or is necessary to protect the vital interests of the data subject or of another natural person.

“Docking clause”

More than two parties can now sign onto to a single contract pertaining to data transfers at any time during its term.

Recordkeeping

Data importers are required to document their processing activities and inform data exporters if they become unable to comply with the SCCs. Data exporters must document that they used reasonable efforts to ensure that data importers are able to comply with the new contractual clauses.

***

Global businesses as well as policymakers have a strong interest in making certain that personal data can be freely transferred and that the data is appropriately protected. The European Commission’s decision should help ensure that SCCs remain a tool for businesses to meet their GDPR obligations in today’s complex world.