Quickly create and manage a privacy compliance program.
Your Privacy Program
Disclosures & Documentation
Privacy Law Information
CREATE & MANAGE
YOUR PRIVACY PROGRAM
Whether your business deals directly with consumers or provides a service to other organizations, privacy laws continue to be passed and evolve making compliance an ongoing struggle – Tyndl can help!
Many businesses do not fully understand the scope of what being truly compliant entails.
Tyndl is a new approach to handling the proliferation of privacy laws. It allows you to manage the individual parts and, more importantly, the very core of your privacy program in a more comprehensive and cohesive way.
Read More ...
Most organizations, law firms, consultants, or software templates handle privacy laws one by one. Each added law adds to the complexity an organization faces in managing their privacy program. Policies, procedures, agreements, notices, responses, and more become clouded as to exactly how to handle them and what processes need to be done.
For a fraction of the price of other solutions, Tyndl combines the thoroughness of a law-firm with the speed, agility, and simplicity of an online application to help create and manage a comprehensive privacy program. Companies of any size can easily handle the many facets of their consumer privacy program from a single source solution.
- Handles privacy laws cohesively from a single application allowing an organization to easily create and dynamically manage a powerful comprehensive privacy program.
- Saves organizations countless hours while spending 1/10th the money compared to other alternatives available.
- Allows an organization to use best practice strategies to create a single set of comprehensive privacy policies and procedures minimizing the errors, time, and confusion of what needs to be done.
- Makes data mapping quicker and easier. Questions of the data map sections can be assigned by the organization’s point person to the relevant departments for completion. Reports track progress and notify once the section is complete.
- Enables those assigned to handle privacy compliance to work more effectively individually and collectively.
- Updates electronic documents automatically as laws evolve so an organization’s documents are ever current.
- Adds new laws to an organization’s privacy program in a snap! Once an organization’s information is in Tyndl, new law documentation can be generated with little to no new input from the organization.
- Creates reports allowing an organization to see, manage, and track progress towards compliance.
- Supports an organization’s efforts with financial incentive programs, opt-out management, guardian management, and business interest assessments.
- Supports an organization’s efforts with data protection risk assessments, data impact assessments, and data event reporting.
- Makes periodic reviews of an organization’s privacy program quick and easy creating an audit log documenting the review.
- Simplifies and tracks an organization’s compliance efforts for both current and future privacy program projects.
- Provides access to privacy attorneys to answer questions and review your finished work.
Tyndl is the way to create a better unified comprehensive privacy program that handles the many privacy laws more simply than any other method.
“At Spiff, I needed an almost-turnkey solution. I had international customers ready to buy, but we needed to be compliant.
“Tyndl easily saved tens of thousands of dollars and took 1/10th the time.”
Spiff, Director of Information Security
Mapping Your Privacy Data
Data mapping is the first and arguably the most important step in privacy compliance. Aside from being required, it provides the foundation for many of the other compliance steps.
Through a series of automated questions, Tyndl maps the personal data in your business.Read More ...
Privacy data mapping is not a visual “map” like a network diagram, or even a data flow map of privacy data flowing through your systems. Data mapping for privacy compliance refers to the process of documenting all of the personal information an organization handles, processes, stores, or shares. Any time there are changes to the way you do business; your data map needs to be updated.
Data mapping and documentation must be reviewed and updated regularly, and must include the following:
- Identify all personal data that in any way touches or passes through the organization
- identification must be categorized by type (such as “Personal Identifiers”), and for some laws such as the CCPA/CPRA, must also identify the specific pieces of data (such as “Name, Address, email address, and phone number”).
- certain types of data are considered to pose a ‘higher risk’ to consumers, and will require additional disclosures and processes for your organization.
- Specify the “Business Purposes” or “Legal Basis of Processing” of each piece of data
- These “purposes” for handling personal data must come from a set list of options defined in different laws such as the CCPA/CPRA or the GDPR.
- These specified purposes determine what disclosures must be made, and how your organization must handle the data.
- For some laws, it is not lawful to process personal data unless the reasons for doing so can be identified as one of these reasons. Other laws allow for other reasons for handling personal data than those on the list, but those reasons will require other specific disclosures and processes.
- Specify the “Commercial Purpose” for handling each piece of data
- in the CCPA/CPRA, Commercial Purposes are reasons for handling personal data that are not contained in the pre-defined list of Business Purposes mentioned above.
- Identify the source of each piece of data
- For example, did the data come from the user/customer, a third party business partner, an acquired list, or an advertising service?
- Identify where the data is processed and or stored
- for example, is it processed or stored on paper, on a computer system at your office, or on a cloud-based application?
- For the European Union, you must also specify where the data travels geographically. If personal data travels outside of the country where the person lives, specific contract clauses, disclosures, and processes are required.
- Identify any third parties or processors with whom each data element is shared
- this can include your web hosting company, or providers of online business services such as HR, sales, marketing, accounting, payment processing, or shipping and fulfillment.
- this can also include businesses that provide portions of the service your customers pay for, or other third parties with whom you share or sell data.
- third parties are identified by category (such as “web hosting service provider”) as well as by specific company name (such as “Amazon Web Services”).
- Define your data retention policy for each data element
Creating and maintaining an accurate data map is made easier with tyndl!
Privacy laws require that you obtain and maintain an up-to-date Data Processing Agreement (DPA) with each third-party. These are businesses with whom you receive or share personal information.
Tyndl creates the appropriate DPA for each third-partyRead More ...
Once the data mapping process has identified all third parties from which you receive or share data, you are require to maintain up-to-date DPAs with each third-party. Appropriate contract language is required for each law. Tyndl allows you to create, manage, and track the status of each third-party’s Data Processing Agreement, with appropriate language as laws change. At a glance you’ll know the status of all your agreements.
While each law requires different contractual elements to be included, below is an overview of the common elements applicable to all current laws:
- Identify the name and address of each third party, including the name and contact information of each organization’s privacy point of contact.
- Specify what data is transferred, and what the receiving party will do with that data.
- This is documented in the data mapping done previously, which includes your purposes for handling the data, and the purpose for which you send it to a third party, or why you receive it from a third party.
- Specify the flow of personal data (from their organization to yours, or from your organization to theirs, or both.)
- Define which party is the “controller” of the data and which is the “processor”.
- These definitions determine the role and responsibility of each party
- For example, these definitions define which organization is responsible for receiving and responding to consumer requests, and which will simply act upon those requests as it receives them from the other party.
- Include clauses that limit the receiving party’s use of the data to only those uses defined.
- Include clauses that require the receiving party to comply with the same privacy laws that your organization is following, including how they handle and protect the data and respond to consumer requests.
- (GDPR) if data will leave the country where the person resides, DPAs must include the current Standard Contractual Clauses (SCCs) required by the European Commission, and specify all countries where the data could potentially travel.
- The European Commission issued new SCCs in July 2021 that replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since September 27, 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.
Existing contracts that include the previous sets of SCCs must be updated by December 27, 2022.
Tyndl manages your ongoing third-Party relationships so you know exactly what, if anything, needs to be done.
Disclosure and Document Creation and Management
Requirements within each privacy law are extensive and require that documentation be written, kept current, and specific to each law. Some documents are simple while others are lengthy and complex.
In all probability, the first thing you will be asked for by regulators, business partners, investigating attorneys, or customers is your privacy program documentation. You had better have them right!Read More ...
Privacy laws require that organizations document their privacy program including their disclosures, policies and procedures, consumer requests, employee training, and all other required processes. Some documents are simple while others are extensive and complex. Some documents are required in every case, while some are contingent on their applicability or specific events. Each law has unique elements which require documentation be tailored specifically to that law.
Perhaps the biggest issue organizations face is the dynamic nature of privacy laws documents and disclosures. It’s a difficult proposition to keep up with the proliferation of new privacy laws but when coupled with changes and updates to existing laws the task soon becomes more than a small team can handle.
Because Tyndl stores documents electronically, Tyndl automatically updates privacy documents with little to no input from the organization. An organization prints their documents only when they need a hard copy so their documents stay current.
To provide some understanding, the following is a list of the documentation Tyndl provides for the CCPA/CPRA and GDPR. While some documents have the same names, the content has important differences.
- CCPA/CPRA Policies
Outlines your organization’s CCPA/CPRA policies, including the policies to respect and protect the privacy and Personal Data of its employees, suppliers, customers, business partners, clients, and their respective end customers. The CCPA/CPRA Policies document also defines all entities covered in the privacy program such as a parent company, related affiliates/subsidiaries, and third parties who process Personal Data on behalf of those entities.
- CCPA/CPRA Procedures
Details the steps your organization will take to comply with the CCPA/CPRA Policies. The list of documents below are all referenced in CCPA/CPRA Procedures as specific documentation that will be used and maintained to manage ongoing compliance according to the processes and procedures that are defined in this document.
- Privacy Notice/Disclosure
This is the form your organization must post to your public website to notify California residents about their rights and how you will handle their information.
- Privacy Field Manual for Consumer Requests
This document provides an overview of CCPA/CPRA requirements for employees who handle consumer data. It contains required information on consumers’ rights, how the organization handles consumer requests, and the contact details for the organization’s privacy point of contact for handling consumers’ requests.
- Data Processing Agreement for Third Parties Handling Your Data
Sample language to include in your existing agreements, or to create standalone CCPA/CPRA agreements for when a third-party handles consumer data on your behalf.
- Data Processing Agreement for Handling Data for Third Parties
Sample language to include in your existing agreements, or to create standalone CCPA/CPRA agreements for when your organization handles consumer information for other organizations.
- Record of Consumers’ Requests
All requests must be documented, including when the request was received, when it was responded to, and the outcome of the request.
- Initial Response to Consumer Requests
Provide a required acknowledgment and initial response to consumers within 10 days that their request has been received, and that you will respond within 45 days of their request.
- Response to Requests to Know
Response to requests from consumers to access their information.
- Inability to Verify Identity Form
Notify consumers that their identity cannot be verified to complete their request, and the steps they can take.
- Complexity Analysis Form
Used to document the organization’s assessment of whether a consumer request is “complex”, and therefore qualifies for an extension of the 45-days, extending it to the maximum of 90-days.
- Notice for Extension of Time to Respond to Consumer Request
This form is used to notify consumers that the organization will be extending the response time to the consumer’s request to 90-days.
- Parent Attestation Form
This form helps organizations gather an attestation that an individual is a parent or legal guardian for a minor in California.
- Representative Election Form
This form formalizes the process for consumers to designate a representative to make privacy decisions on their behalf.
- Notice of Change of Purpose
If needed, this is used to notify consumers that you are using their personal data in a way that differs from what you originally disclosed to them, and gives them the option to opt-out.
- Notice of Financial Incentive
This gives specific notification about any “Financial Incentive” program you use related to the collection, retention, or sale of consumers’ personal info. This must include specific elements such as the financial calculations you used to determine the value your organization receives from consumers’ personal information, as well as the value that your customers gain from your program, and how those two values are reasonably aligned.
- Appeal Letter
Explains the process for consumers to appeal an organization’s privacy decisions.
- Deletion Request Form to Third Parties
This form is used by the organization to notify third parties that process information on your behalf that a consumer has requested the deletion of their information.
- Deletion Attestation Form
Notice to a consumer that you have deleted their information per their request. This notice also tells consumers if certain information will not or cannot be deleted, why that is the case, and when that information will be deleted.
- Deletion Denial Form
Notify a consumer that their request for deletion cannot be met by the organization, the reasons why, and they can file an appeal.
- Response to Requests Regarding the Sale, Sharing, or Disclosure of Information
Reply to a consumer’s request for information on what data the organization has sold, shared, or disclosed and to what categories of third parties, and the consumer’s rights regarding that information and its sale or disclosure. This response must include data going back 12 months from the data of their request.
- Consumer Expectation Alignment Form
Internal document that details the process the organization used to determine that its use of consumers’ personal data is justified, and that the organization considered the benefits and risks to consumers for collecting their personal data.
- Opt-In Form
Used by consumers to give consent for the organization to sell their personal information to third parties. The form also outlines the consumer’s rights with regard to that information and gives direction on how the consumer may exercise their rights.
- Opt-In Notice for Minors
This is a form for parents or guardians to give consent to the organization to sell a minor’s information to third parties. The form also outlines the minor’s rights with regard to that information and gives direction on how to exercise those rights.
- Right to Opt-Out Form
This document is provided to consumers to notify them of their rights with regard to their personal information, including the right to opt-out of having their information sold to or shared with third parties. The document gives direction on how to opt-out or withdraw consent.
Opt-Out Notification Completion
Notification to the consumer that the Opt-Out request has been completed.
Tyndl lets you create, store, and automatically updates your privacy documentation for each Law.
Consumer Requests (or Data Subject Requests) are perhaps the most well-known aspect of privacy compliance with a lot of attention on automated tools to delete information.
What many people do not know is that in addition to providing or deleting information, organizations must maintain accurate dated records of each request, initial response, formal response, and time extensions with related justifications.Tyndl works in tandum with the tools you may already have.Read More ...
When people are asked what they believe the main requirements are for privacy law compliance, one of the most common answers are requests for information and requests for deletion.
Many organizations focus on automated tools to provide responses to these requests. While most focus on these two types of requests it’s important to realize there are actually several other types of requests. Companies must respond to, track, and document ALL of them.
It is also important to understand there are two aspects to handling Consumer Requests:
- Keeping dated records of each request by type, your initial response, your formal response, and any time extensions and related justifications.
- Carrying out the request by gathering data and reporting it, or deleting it.
Some important details about request:
- CCPA – Consumer Requests – 45 days, 90 days if the request is complex and an explanation must be given
- GDPR –Data Subject Requests – 30 days, 90 days if the request is complex – the organization must go through a series of questions and answers that justify the decision. This is a self-administered process, but it must be documented with the Data Subject being notified of the decision and given a new date to expect a response.
As side note on this subject: Too often, we talk to organizations which have implemented a tool to automatically respond to information and deletion requests and unfortunately, they thought (or even were told) that they were done with privacy compliance.
We hope that since you are reading this, that if there is one thing you have learned it is that privacy compliance is not that simple. If anyone tells you that if you buy their tool or solution “you can be compliant in 10 minutes”, we hope you will have a lot of questions. We have also found that at this point in time very few organizations find they have sufficiently high volumes of those types of requests to justify implementing an automated system.
Tyndl helps you manage requests by creating the documentation and the legal trail needed for each step taken.
Consumer Privacy Law Information
Understanding the intricacies of the different privacy laws goes a long way toward your ability to create comprehensive policies and procedures. Whether you need to compare one law versus another law’s general overview, or dive into the details, Tyndl’s knowledge base can help you find what you need.
Comprehensive Privacy Program Management
In addition to the four areas of a privacy program we’ve already covered, a complete and comprehensive program must include many other areas. These include data protection risk assessments, data protection impact assessments, business interest analysis, employee training, data event reporting, and more.Read More ...
There are several well-known elements to privacy law compliance. Tools abound to help with things like data requests and deletions. Some organizations believe if they handle the very visible items, they are compliant or will at least be ok if there should be problem. However, this is not the case and there are important less discussed elements crucial to having a solid privacy program.
Tyndl helps organizations manage their entire privacy program including the less known parts. Here are just a few of the things Tyndl manages.
Data Protection Impact Assessments – also called Data Protection Assessments or Risk Assessments are required by various laws, and unfortunately are all a bit different. However, the general ideas are the same. Data Protection Assessments are a documented processes of assessing the benefits and risks to consumers (or data subjects) of your organizations use of their personal information, and are generally required when it is likely that the risk to the consumers is high. However, even if the risks are low, it is usually appropriate to document that by doing an assessment. Also, it is important to know that some laws define “high risk” as processing any “sensitive data”, processing personal data for purposes of targeted advertising, or the sale of personal data. So even though Data Protection Impact Assessments are sometimes not considered important, they are needed for most organizations, even if just to document that they are not needed annually.
Business Interest Analysis – also called a Consumer Expectation Alignment, or Analysis of Legitimate Business Purpose, is the process of identifying and documenting the business reasons your organization uses, stores, or transmits personal information. A portion of that analysis is as straight forward as it sounds. You document the reasons you collect personal information. But, as you might expect, it actually is a bit more complicated than that. The same personal data is usually collected or used for vary different reasons in different areas of your organization (for example in Sales versus for a product or service, or for your employees). In addition, different laws sometimes define their own list of reasons that you must choose from, and they are very different. So, your documentation must accommodate or at least be able to be tailored to different laws. Lastly, you need to include an analysis of the reasons you might share personal information with any service providers or third-parties (for example: AWS, Salesforce, and QuickBooks; as well as any number of other partners or service providers). If that wasn’t enough, all of this documentation needs to be done by data category, meaning that answers must be regarding each category of personal data such as Personal Identifiers (like name or email address), Education Information, Professional Information, Geolocation Data, etc.
Employee Training – Most privacy laws require that your organization train its employees who handle personal data, and that means you need to document your training, and document who attended.
Financial Incentive Program Analysis and Notice to Consumers – The CCPA/CPRA requires organizations to document an analysis or any Financial Incentive Program that involves the collection or use of consumers personal information as an element of the program. To be clear, this does not usually mean products or services provided by your organization that require or use personal information. This is specifically asking about programs, benefits, offerings, or payments to consumers that are related to the collection, retention, or sale of their personal information – such as loyalty programs, marketing offers, or other programs that offer discounts or benefits that involve the customer providing personal information. As just mentioned, while products or services are generally not considered Financial Incentive Programs, there are times when that may be the case. The deciding factor is whether there is a difference in price, value, or quality based on whole – or in part – on the customer providing their personal information. If your organization has a Financial Incentive Program, you need to document an analysis of the value the program provides to your organization and the value it provides to the consumer, and then demonstrate that those two are balanced. So, this is both a written explanation as well as a mathematical analysis. Finally, the results of the analysis must be provided to consumers before their information is collected and they must be able to opt-out at any time after the fact.
Tyndl Allows Organizations of Any Size To Cohesively Manage All Areas Of Their Privacy Program From A Single Application.
Why You Should Use Tyndl?
Ready to get started?
How It Works
Tyndl’s intelligent Privacy Platform works much like tax filing software but for privacy law.
- Tyndl walks you through a series of specifically designed questions
- This information is used to create an overarching privacy program with data map, customized policies, procedures, and all other documentation needed to manage a robust comprehensive privacy program
- Included is access to a privacy attorney to answer your questions, assist you toward compliance, and review the completed program
- Your documents are stored electronically and updated automatically. You print your documents on-demand when you need them
- Tools and reports help you manage your privacy program during creation, implemntation, and far into the future
Founded in 2020 and located in the silicon slopes area of Utah, our incredible team of engineers, programmers, legal consultants, and marketers have worked tirelessly to bring Tyndl to the forefront of privacy.
The concept started as a desire to create affordable access to legal services for companies of all sizes. The result was a breakthrough in technology and professional services which empower in-house counsel and privacy teams to effectively create and manage their corporate privacy program with simplicity and ease.
Today Tyndl is becoming recognized as one of the leaders in the privacy legal tech space. Tyndl helps companies of all sizes create and manage comprehensive privacy programs.
Chief Executive Officer
Chief Operations Officer
Jessica Rivest Awerkamp