Just when you thought that you had a working solution compliant with General Data Protection Regulation (GDPR), for sharing data between EU and non-EU countries as part of your regular business communications, the Schrems II ruling appears out of nowhere and moves the goalposts! If you had been relying on the EU-US Privacy Shield framework, this is no longer sufficient to ensure compliance with the stringent EU data protection requirements, especially GDPR. Schrems II has been specifically designed to address the gaps in GDPR relating to enforcement of transactions flowing outside the EU. In short, it is there to ensure that the handling and processing of the data belonging to EU citizens receives the same level of security (or higher) in all countries outside the EU where it is present. Over time this will no doubt improve the overall security posture of all businesses, but in the short term will likely lead to many new challenges accompanied by a period of relative uncertainty.
A set of big challenges to overcome
The existence of Schrems II will no doubt affect the business community in subtly different ways and cause some short term pain. In addition, there are some fundamental challenges that exist affecting GDPR regulatory compliance (just like most other data privacy laws and regulations) that are best to tackle sooner rather than later. For any business sharing data across multiple countries or regions, the list of challenges is likely to include some or all of the following:
- Knowing exactly what data you have that is subject to GDPR and where it resides – so you can protect it at all times
- Determining which laws/regulations apply when you share data externally – so that you can understand the risk involved when it is used outside of your direct control
- Protecting sensitive data effectively as your data sprawl expands rapidly to non-EU countries – to ensure you have a Bring Your Own Encryption (BYOE) solution that can scale seamlessly
- Dealing efficiently with a wide range of data types and storage locations – to help you locate the last piece of sensitive data in your organization
- Creating a comprehensive data inventory or mapping – so that you know exactly the precise flow of your data
Too often we see an organization panic when faced with new regulatory challenges. A typical response is to lock data down completely by encrypting everything in all locations. While this may significantly reduce risk, it can have the undesirable side effect of making legitimate access to important data much more complicated, creating an undesirable layer of friction. Is there a better way to tackle compliance without such a significant drawback?
Making effective data discovery the rule rather than the exception
Data privacy laws and regulations are intended to help with the protection of sensitive data, not to stop businesses from operating efficiently. In many cases the response mechanism affects all data rather than just the sensitive sections that are vulnerable if shared, used or stored inappropriately. When you know precisely what sensitive data you have, all the places where it resides, who has access to it and under which conditions it is shared externally, you can then start to evolve a trusted privacy framework.
The formal data discovery stage is often the first step in the overall process that is either implemented poorly or ignored altogether. By standardizing on the use of data discovery as the fundamental first step in your overall data protection strategy, you will be able to meet your compliance needs without hampering the value you derive from your data. When someone moves the goalposts in the future with a new type of regulation, you will be ready because you will have in-depth knowledge of your sensitive data footprint.
You may also be interested in attending our upcoming Schrems II webinar on April 21st, where panellists from Accenture, Forrester and Thales will discuss data transfers in a post-Schrems II and post-Brexit era and examine how the current rules and regulations for securing information and maintaining privacy will impact organizations that rely on global access to data.