With an estimated $250 billion of transatlantic trade dependent on cross-border data transfers alone, data protection has become a major issue. If your organization holds data emanating from the EU, you need to make sure you’re on top of the regulations.
EU privacy law forbids the movement of citizens’ data outside the EU to any location that is not deemed to have “adequate” privacy protection. Essentially, this means that if a non-EU country wants to hold EU data, its regulations have to conform to EU standards.
US companies should concern themselves initially with the new Privacy Shield agreement, while those in the UK will soon need to adhere to the new EU General Data Protection Regulation (GDPR).
What is the EU-US Privacy Shield?
The EU-US Privacy Shield was formally adopted by the European Commission on 12 July 2016, in response to a ruling that the existing Safe Harbor agreement was insufficient. The framework is designed to protect EU citizens and the data of individuals based in the EU against misuse by US-based companies.
Requirements for US Companies:
• State clearly that you are participating in the Privacy Shield, how you are collecting information and what you are using it for
• Take “reasonable” steps to ensure that any third-party contractors use the personal information in a manner that is consistent with the Privacy Shield
• Collect only information that is specifically relevant to the intended and disclosed use
• Certify with the US government that you will continue to apply the principles of the Privacy Shield even if you leave the program
• Establish a named individual to quickly respond to privacy-related complaints
• Make public any compliance or assessment reports that you have been required to submit to the US Federal Trade Commission
Regardless of Brexit, the new EU GDPR is on its way. Even when the country leaves the EU, the UK will need to prove “adequacy” of its privacy regulations.
Considerations for UK Companies:
• It will be expensive to make mistakes. Fines for data breaches will be as high as €20 million, or up to 4% of global revenues
• Everyone will have the “right to be forgotten”. This is a huge challenge for any organization. You’ll need to identify every instance of an individual record, and that includes backup and archive data
• Data portability. People must be able to transfer their personal data from one electronic processing system to another, made available to them in a structured and commonly-used electronic format
• If you’re handling large volumes of data, you’ll need to appoint a data processing officer to manage your security processes and provide advice to the senior management team
• You must report any data breaches rapidly (within 72 hours)
• If you are using third-parties to process personal data, you will still be held responsible for its security
The EU regulations, whether in the form of EU GDPR or the Privacy Shield framework, will no doubt be tested, challenged and adapted for several years to come. However, at their heart are some sensible precautions for the protection of the individual, and the implementation of these frameworks serves as a good reminder for all of us to treat customer data with respect.