The US Chamber of Commerce has opened registration for companies that need to transfer personal data of European customers across the Atlantic. This comes less than three weeks after the European Commission (EC) approved the EU-US Privacy Shield. Last month, the US and the EU finalized their Privacy Shield agreement—a safe framework set out between the EU and the US to enable some US companies to more easily receive personal data from EU entities under EU privacy laws, which essentially provides a legal basis for personal data exports across the Atlantic. Without it, companies handling EU citizens’ information could be breaking the law in Europe. Cross-border data transfers may include payroll, health information, human resource data, and even data used for targeted online marketing and advertising.
The new data-transfer deal brought to a close months of limbo in the wake of EC’s Court of Justice decision to strike down its predecessor, the Safe Harbor framework, last year. The Safe Harbor executive decision allows companies to self-certify in order to provide “adequate protection” for the data of European users to comply with the European data protection directive, along with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).
On April 2016, the Article 29 Data Protection Working Party stated that the Privacy Shield offers major improvements compared to the Safe Harbor decisions. However, the former was still deemed as “not robust enough to withstand future legal scrutiny before the European Court” due to three major concerns: deletion of data, collection of massive amounts of data, and clarification of the new Ombudsperson mechanism. With the EU-US Privacy now finalized and approved by European governments, privacy compliance is now fundamental for all global companies. With this in mind, it is important that enterprises of all sizes understand the cost of non-compliance—and what it entails—to manually manage in-house policies.
An organization’s compliance with the Privacy Shield will be directly and indirectly monitored by a broader array of authorities in the US and EU, possibly increasing regulatory risks and compliance costs for businesses that are involved. In Trend Micro’s 2016 Security Predictions, Chief Technology Officer Raimund Genes said that enterprises will realize the need to ensure the integrity of data within and outside the company. This is because the EU Data Protection Directive will mandate a high standard of protection on data, and the role of the Data Protection Officer (DPO) or Chief Information Security Officer (CISO) will be vital in ensuring the integrity of data and compliance with rules and regulations of countries where company data is stored. DPOs and CISOs are expected to be experts in data protection and data security regulations, and must know how these should be effectively implemented.
Now that the Privacy Shield has been approved, companies must ensure that they will continuously be compliant and will be able to certify with the US Department of Commerce. With this in mind, businesses should prepare accordingly as awareness around data protection will pave the way to a significant shift in the enterprise mindset and strategy against cyber-attacks.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).