Privacy updates V1.10

This section lists the regulators and features that were updated in the Privacy solution.

We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM SOAR Community to see how your peers are using the Privacy solution to simplify the complex world of information security.

Regulator/Feature Description
Abu Dhabi Global Market Place Updated this Regulator to incorporate the Data Protection Regulation of 2021. Specifically, removed/disabled Regulator Abu Dhabi Global Market (Organizations established before Feb 14, 2021)”, changed Regulator Name from “Abi Dhabi Global Market (Organization established on or after Feb14, 2021)” to “Abu Dhabi Global Market”, removed “(Organization established after Feb14, 2021)” from the title of Resource Library, and updated Tool Tip text.
Europe Added new EDPB guidelines “The Europe Data Protection Board Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, Adopted on 14 December 2021, Version 2.0” in the Resource Library of jurisdictions subject to GDPR, including the following: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
U.S. FDIC Updated the link to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” in the Resource Library.
U.S. Federal Reserve Updated the link to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” in the Resource Library.
U.S. FINRA Updated the language in “Notify FINRA” task based on the current version of “Firm Checklist for Compromised Account” available on FINRA website.
U.S. GLB Act Updated links to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” for financial institutions regulated by FDIC and Federal Reserve respectively in the Resource Library.
Europe Updated the link to “Guidelines” on identifying Lead Supervising Authorities when selecting Regulators in Europe.
Kenya Updated Regulator consistent with the Data Protection (General) Regulation, 2021. Specifically, added the establishment of the Data Protection Commissioner’s Office and added data types to “Notify the Data Subjects (Kenya)” and “Notify the Commissioner (Kenya)” tasks to reflect Section 35(1) of the Regulation.
Rwanda Added the regulator to the Privacy Solution.
  • Rwanda Law no 058/2021 Relating to the Protection of Personal Data and Privacy
  • Region: Africa
  • Requirements and Timing: The Rwanda Law establishes rules relating to the protection of natural persons with regard to the processing of personal data. In the case of a personal data breach, the data controller must notify the Rwanda Data Protection Authority not later than 72 hours after having become aware of a breach and notify affected individuals as soon as practicable.
The new regulator includes the following tasks:
  • “Notify the Authority (Rwanda)”
  • “Notify the Affected Individual (Rwanda)”
United Kingdom Updated the language to reflect European Union Exit Regulation, 2019. Specifically, amended the language in all notification tasks to adhere to United Kingdom GDPR.
Zimbabwe Added the regulator to the Privacy Solution.
  • Zimbabwe Data Protection Act, No. 5/2021
  • Region: Africa
  • Requirements and Timing: The Zimbabwe Data Protection Act established rules relating the protection of natural persons with regard to the processing of personal data. In the case of a personal data breach, the data controller must notify the Zimbabwe Data Protection Authority not later than 24 hours after having become aware of the breach.
The new regulator includes the following task:
  • “Notify the Authority (Zimbabwe)”
Japan Updated regulator to reflect the amended version of Japan Act on Protection of Personal Information (APPI), effective April 1, 2022. Specifically, updated the Resource Library and links to amendment in the “tool tip”. Additionally, added data types “Social Status” and “Fact of Being a Crime Victim” to trigger notification tasks based on current amendment. Also, updated time frame and language of “Notifying Personal Information Protection Commission (Japan)” task to three days and “Notify Affected Individuals (Japan)” task to 15 days. Removed the “Public Announce the Breach (Japan)” task.
Manitoba (Health) Updated regulator to reflect current Practice Note reflecting 2021 Amendments. Specifically, amended the “tool tip” and all notification tasks to reflect current links. Additionally, updated “Notify Manitoba Residents” and “Notify Manitoba Ombudsman” tasks to reflect a 15-day notification time period after a privacy breach is detected.
Rwanda Updated language in the Resource Library to reflect formatting changes only.
United Kingdom Updated Regulator consistent with Regulation (EU) 2016/679, effective April 1, 2022. Specifically, updated links and language to the “tool tip”, “Notify Supervisory Authority (United Kingdom)”, and “Subsequent Supervisory Authority Notification (United Kingdom)” tasks. Additionally, amended notification tasks to no longer be triggered when breached data is encrypted.
Timeframe For privacy tasks only that include a timeframe, the timeframe is included in the task details. Analysts can use this information to determine the flexibility of the due date. The timeframe is also included in any reports.
Cape Verde This regulator was added to the Privacy Solution.
  • Law 133/V/2001 on the Protection of Personal Data (as amended by Law No. 41/VIII/2013 - General Legal Regime for the Protection of Personal Data of Individuals and Law No. 121/IX/2021 of 17 March 2021) (collectively 'the Law')
  • Requirements and Timing: The Cape Verde Law establishes rules relating to the protection of natural persons regarding the processing of personal data. In the case of a personal data breach, the data controller must notify the Cape Verde National Commission of Data Protection not later than 72 hours after having become aware of a breach and notify affected individuals without undue delay.
The new regulator includes the following tasks:
  • “Notify Affected Individuals (Cape Verde)"
  • “Notify the National Commission of Data Protection (Cape Verde)”
U.S. Arizona Updated the language in the Resource Library to include relevant provisions from the Arizona Genetic Information Privacy Act.
U.S. Delaware Added “Health Insurance Identification Number” data type to trigger notification tasks in accordance with current Delaware Breach Notification Statute.
U.S. Indiana Updated the language in the notification tasks. Specifically, amended the language in the “Notify Credit Bureaus (IN)” task and updated links in the “Notify Indiana Attorney General” task.
U.S. Massachusetts Updated the language in the Resource Library and notification tasks. Specifically, amended the language to remove redundant links and language.
U.S. Mississippi Updated the language in the notification tasks. Specifically, amended the “Notify Consumers Individually” task to reflect Mississippi State Statutes. Additionally, removed the Mississippi State Statute language from the “Notify Consumers Individually (HIPAA Preemption)” task.
U.S. New Mexico Updated language in notification tasks. Specifically, edited the link to the summary of rights provided under FCRA and added notice requirement to the “Notify NM Consumers Individually” task. Additionally, amended language to the “Notify NM Consumers Individually”, “Notify NM AG”, and “Notify Credit Bureaus” tasks to permit delays based on legal enforcement and/or investigations.
U.S. North Dakota Added “Health Insurance Identification Number” data type to trigger notification tasks in accordance with current North Dakota Breach Notification Statute.
Eswatini (Swaziland) This regulator was added to the Privacy Solution.
  • Eswatini Data Protection Act, 2022 (No. 5 of 2022)
  • Region: Africa
  • Requirements and Timing: The Eswatini Data Protection Act established rules relating to the protection of natural persons regarding the processing of personal data. In the case of a personal data breach, the data controller must notify affected individuals and Eswatini Communications Commission as soon as reasonably possible after the discovery of the breach. 
The new regulator includes the following tasks: 
  • “Notify Affected Individuals (Eswatini)”
  • “Notify the Authority (Eswatini)”
Rwanda Updated notification task templates. Specifically, removed U.S. Credit Bureau contact information.
Spain Updated language in notification tasks. Specifically, updated the name and contact information of Spain Supervisory Authority (AEPD) and added a link to AEPD Guidelines on Personal Data Breach Notification to the “Notify Supervisory Authority (Spain)” and “Subsequent Supervisory Authority Notification (Spain)” tasks.
U.S. Arizona Updated the Resource library to include recent amendments to Section 18-552 of the Arizona Breach Notification Statute. Created a new task - “Notify the Director of Arizona Department of Homeland Security” based on the recent amendment.
U.S. Idaho

Updated the language in the “Notify ID Consumers Individually” task to reflect an earlier timeline provided in the statute and permitted delays based on legal enforcement and/or investigations. Amended the preemption tasks for “HIPAA/HITECH, NCUA and GLBA” to reflect the preemption requirements under the Idaho breach notification statute. Updated the “Notify ID Attorney General” task to include the email address of the Consumer Protection Division and the link to the Security Breach section of the AG's website for further guidance.

U.S. New Hampshire Updated the language in the notification tasks. Specifically, added required content for the notice and permitted delays based on legal enforcement and/or investigations to the “Notify NH Consumers Individually” task.
U.S. South Carolina Updated the language in the notification tasks. Specifically, added permitted delays based on legal enforcement and/or investigations to the “Notify SC Consumers Individually” task.
U.S. Wisconsin Updated the language in the notification tasks. Specifically, added language to reflect the number of individuals (1000 or more) that must be affected by a data breach incident to trigger the “Notify Credit Bureaus (WI)” task. Also added required content for the notice and permitted delays based on legal enforcement and/or investigations to the “Notify Consumers Individually (WI)” task.