If you share European citizens’ personal data with the US or across European jurisdictions and you don’t have a contingency plan in place, you need to act quickly.
|The US and EU are working the evolution to Safe harbor by the end of January 2016, you could be deemed non-compliant. So what are the options open to you?|
|The EU has a number of standard model (also known as contractual) clauses that cover the transfer of personal data to non-European jurisdictions. Unfortunately, they are not carbon copies of safe harbor, so it’s not just a case of signing them; you’ll need to specifically describe how personal data will be managed and utilized, and define which measures are in place to ensure personal data is protected in accordance with European law.|
A fine-grained auditing tool that shows “who can access what and how” as well as “what can be accessed by whom” is essential.
|Binding Corporate Rules clearly define the manner in which personal data can be transferred and processed within a global enterprise, and in doing so provide the necessary assurances that personal data will be safeguarded. However,Binding Corporate Rules need to be approved by the authorities and as such are seen as a long-term solution – unless you have already submitted rules for approval.|
Policy-based access control is a prerequisite to ensure access controls reflect corporate business rules.
|To combat the invalidity of safe harbor, some companies have allocated dedicated silos in Europe for processing European citizen’s data. However, an ongoing European case* may put an end to this approach across the Union. This means organizations will be forced to meet the regulations of each jurisdiction that they collect data from, or are active in.|
Dynamic authorization will soon be a necessity to control access to data in line with each individual EU jurisdiction.
|In a perfect world, all of the citizens (whom you have gathered personal data on) would consent to you sharing their data anywhere. However, an individual needs to know what consent implies (in this case, a tick box at the end of a ten-page document that very few individuals will read) is not considered adequate. And even if were possible to gain consent for net new data collection, it simply isn’t possible to gain consent for most data that has already been gathered.|
For the sake of business agility, one of the previous options is far better.
|If you use cloud services to transfer and safeguard personal data, you must do your due diligence and audit the provider. They too must comply with EU data privacy regulations and will be forced to implement one of the above scenarios. The onus is on your organization to ensure you and your chosen vendors are operating in line with EU regulations.|
Ask your cloud provider to talk to Axiomatics!