Collision of Data Privacy
The “cloudification” of everything from data storage to applications to security services has increased the availability of free-flowing data, allowing business to access anything from anywhere. However, it’s raised serious concerns about the security of personally identifiable information (PII) collected and shared by businesses and government agencies across international borders, and a global data privacy movement was born. Leading the charge on data privacy reform is the European Union (EU) – where consumer privacy is seen as a fundamental right. As a result, data location now matters in the cloud, and businesses must be prepared to know exactly when, where and how this data is shared across geographic borders.
While data privacy is quickly gaining steam across the entire globe, steps the U.S. and EU are currently taking will likely shape the debate for years to come. The recently passed General Data Protection Regulation (GDPR), which goes into effect in 2018, establishes a framework for all 28 EU member nations, providing a comprehensive and unified way for businesses to properly handle sensitive data belonging to EU citizens. Of the restrictions the GDPR places on global, multi-national businesses, the proper handling of PII is front and center.
The other major data privacy issue, the EU-US Data Privacy Shield to replace Safe Harbor, more narrowly addresses the flow of personal data from the EU to the U.S. However, an initial draft of the new framework was deemed inadequate by the EU Parliament’s influential Article 29 Working Party and cannot be relied upon until it passes the test in the EU court, leaving thousands of businesses in limbo.
No More “Go With the Flow”
Information-intensive business processes rely on SaaS, and this, coupled with a shift to mobile computing platforms, means controlling data location and complying with privacy regulations is extremely challenging. As new regulations come to pass, they may put U.S. companies at an even greater disadvantage by adding to the confusion over the consequences of non-compliance. According to the latest draft of the GDPR, for example, any U.S. business involved in the processing of EU consumer data – whether directly or via third-party entity – can be held liable for a breach, resulting in fines of anywhere from $1.7 million up to 4 percent of a business’ global revenue, depending on where the data violations occurred.
“Whether your data lies in the public, private or hybrid cloud – it needs to be constantly evaluated in order to truly assess risk potential,” said Simon Leech, chief technologist, Security, Hybrid IT at Hewlett Packard Enterprise. “The owner of the information is ultimately responsible, which is why it is vital for companies to establish a true culture of security at all levels within the business.”
Businesses should be addressing potential data privacy violations now in order to make complying with new regulations easier. There are some approved mechanisms that can be put in place while the specifics are hammered out, such as:
- Binding corporate rules (BCR) – BCR are a set of legally enforceable rules for the processing of personal data that ensure a high level of protection is applied when personal data is transferred between members of a corporate group. Once a set of BCR has been approved by the relevant national data protection authorities, they will ensure that adequate data privacy safeguards are in place to meet compliance.
- Hiring a Chief Privacy Officer (CPO) – With data privacy regulations like GDPR and EU-US Data Privacy Shield, companies that regularly handle sensitive data on a large scale or collect information on many customers should consider designating a data protection officer that can quickly make decisions based on the evolving regulatory landscape. The CPO will be responsible for all data protection matters on a day-to-day basis, and should be involved in vendor decisions that may handle PII.
- Investing in the IT team – Let’s be clear: complying with these new data privacy regulations will be expensive. But the cost of non-compliance will be even greater, meaning IT teams will face more pressure than ever to protect data from breaches and unauthorized access – both from internal and external threats. Fines will be levied whether the transfer of data was intentional or accidental. Unfortunately, IT teams are woefully underprepared to comply with GDPR as it is.
- End data hoarding – Technology has made it increasingly cheaper and easier to store data that many businesses simply do so as a matter of course. But big data isn’t necessarily better data, and businesses should adopt a data-minimalist approach to ensure greater control and reduce risk.
Data privacy has become a global issue affecting all companies that operate internationally, particularly those that have adopted cloud technologies. Companies can continue using the cloud as long as they’ve put procedures and systems in place to ensure that EU citizen data resides in the country of record. This includes not only validating how any personal data is collected, stored, processed and shared, but also how the business can prove continuous compliance. Setting up local datacenters will help solve the location-focused burdens of the new regulations, but it’s not enough. Companies will still need to maintain control over the entire lifecycle of EU citizen data, as well as who has access to it and from where.
By Daren Glenister