As was covered previously, there is a new Safe Harbor agreement tentatively in place called EU-U.S. Privacy Shield, which is being reviewed for approval by the Article 29 Working Party . We also know that there are already folks out there looking to take the new framework to court within the EU, which may result in another nullification if the EU Courts feel that the privacy controls are still not addressed.
Organizations should be watching this very carefully and tracking this as a very real risk. One of the main functions of good compliance and IT governance is risk mitigation. Below are some very easy steps that will help keep your options open, if we have another issue with the new framework.
While this work is being approved and formalized, and as we all wait for the eventual lawsuits around this new legislation to occur, organizations should be looking at and considering mitigation plans. We have a reprieve and should use it mitigate risk; the risk of another breakdown of data laws will be crippling to organizations.
Steps should be taken to understand where your organization’s data resides, in order to address data sovereignty and the collection of information. Question:
- Where is your Cloud Vendor storing data?
- Does it “float” in a cloud to differing geographical regions?
- Is it under your control or the control of an Cloud Vendor?
And then act:
- Reduce analytics and wide data collection to only what is required to provide services.
- Ensure you have clear privacy notices and policies in place.
- Inform – and get approval – from customers to use their personal information. That means being honest about what you plan to do with collected data.
- Be cognitive of where this data is being stored.
- Review any subcontracted services to ensure they also conform to your agreements – don’t get caught on the wrong side of an audit because your Cloud Vendor or vendors are not bound by Business Agreements to handle data to the same standards as your organization.
If we know there is a risk of another framework breakdown why not segment the data if it’s feasible?
iland takes data sovereignty very seriously, not just for our own internal functions, but that of our customers. We take it so seriously that we have our own customer-facing Compliance and Security departments that do nothing but work to ensure that customer’s compliancy and security requirements are aligned – not just at the Cloud Vendor level but also within the customer’s organization.
With many cloud providers, you’d be lucky to get a copy of their auditor reports. Would they be willing to help you perform your governance reviews or sit next to you during audits? Ask.
This week’s news was very welcome: we have a tentative agreement and roadmap in place with Privacy Shield! Just remember that we still have an identified risk and some relatively easy steps can be taken to reduce that risk. Talk with your Compliance and Legal teams as well as your Cloud’s Compliance Department to see how they address these concerns and how they can demonstrate adherence to the new Privacy Shield framework and what they are doing to mitigate risks; and talk to us here at iland!