When the European Court of Justice invalidated the EU Safe Harbor framework, it put all data transfers based on Safe Harbor self-certification in legal limbo. While the ruling doesn’t require that those transfers cease, it means there no longer is any legal authorization for those data transfers.
Without Safe Harbor, gaining approval for data transfers from the EU requires approval from each individual country’s Data Protection Authority. Besides satisfying those 28 DPAs, companies also need to be concerned about satisfying other authorities. Can EU data privacy get any more complicated?
Enter the European General Data Protection Regulation (GDPR)
This comprehensive set of laws (the text is over 200 pages) has taken the EU member states four years to negotiate. One partner at a notable law firm was quoted as saying: “This is the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years. Forget Safe Harbor and the Right to be Forgotten – this is much, much more significant.”
Prior to the new laws each EU member created national laws to enforce the European Commission directive. The patchwork of country-by-country laws proved complex to implement and interpret. While some streamlining will now be possible the overall changes will introduce real penalties, data protection by design, data breach notification, auditing rights and liability for data breaches at data processors. Local data protection agencies will still be able to contest GDPR rulings and are permitted to pass supplemental legislation.
There’s no way to eliminate the uncertainty around data transfers at this point. EU Safe Harbor 2.0, targeted for early next year, will have to align with the stricter data transfer rules already agreed to in GDPR. By acting to put policies and technical controls in place now, companies will be well positioned to satisfy the GDPR for EU countries, Safe Harbor 2.0 and other national data privacy laws.
Action Steps to Take Now
Start with a holistic, overall business understanding of what data protection requires. Understand your traffic flows to determine the controls needed around each application. Governance policies can be specified and measures for monitoring and compliance can be implemented. Once you’ve got that high-level framework in place, you can look at technical controls for data protection like encryption or tokenization.
Begin by taking the following steps:
- Identify your risks. This means doing the analysis to identify your cross border-data transfer flows. Assess the scale of the flows and the sensitivity of information that’s moving across borders. This must include the flow of data with your customers, between your employees, and to your vendors (and their
sub-contractors). Realize that data flows may not be immediately obvious; even if data doesn’t flow as part of an operational business process, it may be accessed by administrators in another location as part of system maintenance or support activities.
- Identify and secure cloud collaboration. At most companies, cloud usage presents a significant risk to data protection. Companies must do due diligence to identify known and unknown cloud usage where significant leaks of sensitive data can occur. Implementing Shadow IT reporting of cloud usage plus controls on data sharing and data loss prevention should be among the first technical measures companies adopt.
- Review critical cloud applications in detail. Perform full analysis of your enterprise-wide cloud applications for CRM, Cloud Collaboration and IT Service Management. This means reviewing all use cases around that application and the specific fields in it that need to be protected. Consider the full scope of security around the application, not just EU privacy concerns, to create comprehensive security playbooks for your critical enterprise functions.
- Consider limiting or masking sensitive data flows. Legacy operational procedures may not be properly aligned with the new privacy regulations. If there’s no compelling business need for the data transfer, review whether processes can be modified to render sensitive data indecipherable or limit the scope of the data transfer.
- Explore model contract clauses and binding corporate rules. Model contract clauses and binding corporate rules can be expensive and complex to implement, and in the current environment, there’s no guarantee they will meet EU data protection requirements. Nevertheless, companies should investigate whether they are practical as an interim measure.
- Review contracts with your cloud vendors. The ultimate responsibility and liability for protection of your data rests with you, not your vendors. Conduct reviews of the security measures your cloud provider offers, including basic physical security and disaster recovery plans, plus their security certifications for compliance with standards. You should expect that you will need to develop a plan to fill in the gaps. In some cases, filling in the gaps can mean asking the cloud provider to implement model contract clauses or binding corporate rules; in other cases, it can mean implementing a cloud access security broker to provide more complete protection. Restricting data to a specific data center is not generally a solution, as there may be remote admin access through the cloud provider.
There are no easy solutions to data protection with the changes to EU Safe Harbor and the new requirements in GDPR, but the above steps will help identify the most critical risks to your data and get you ready to comply with EU Safe Harbor 2.0 now and GDPR once it’s finalized. Our EU Safe Harbor Resource Center can help you keep up with the changing understanding of the EU data privacy policies. Or watch the on-demand replay of last week’s webinar featuring a panel of security experts (Fazal Sadikali of Accenture and Ramy Houssaini of BT Global Services) about “EU Safe Harbor Ruling: Creating an Actionable IT Plan”