Thales banner

Schrems II

Thales enables organizations to maintain GDPR compliance in light of Schrems II ruling

Schrems II: Identifies the Gaps in GDPR

The General Data Protection Regulation (GDPR) laid down the requirements on securing personal data within the European Union (EU) or European Economic Area (EEA). However, it did not adequately address securing personal data of EU citizens when it is processed outside the EU by other countries, such as the transatlantic data flows that account for more than half of Europe’s transactions.

The recent Court of Justice of the European Union (CJEU) decision in the Schrems II ruling invalidated the EU-US Privacy Shield framework, since it did not adequately enforce EU’s GDPR regulations to protect personal data as it moved between EU and the US. With the nullification of Privacy Shield, and before that, Safe Harbor, companies are no longer protected from liability over those data transfers and they are looking for data protection solutions that can adequately protect global commerce.

EDPB Recommendations Help Close the Gaps

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout EU, and promotes cooperation between data protection authorities in each EU country. To address Schrems II ruling, EDPB recently adopted recommendations on supplementary measures along with a second document on EU essential guarantees, which gives guidance to non-EU countries on ensuring compliance with the EU-level of data protection of personal data. The new recommendations from EDPB allow organizations to build a trusted privacy framework to enhance transatlantic data flows

A Trusted Privacy Framework to Move Forward

Thales enables organizations to maintain GDPR compliance and adhere to the Schrems II ruling, using a trusted privacy framework for protecting transatlantic data flows that follow these overarching principles.

  • Discover and classify your sensitive data wherever it resides. That way you know what needs to be protected and then apply the appropriate security measures as outlined by GDPR.
  • Protect sensitive data using robust encryption. This means protecting data stored in on-premises data centers and in the cloud , and ensuring that it is not exposed to unauthorized users inside and outside the EU.
  • Control access to the data, by creating, storing and managing the encryption keys in the country of the origin of the data (data exporter) and maintain control over who has access to the keys to decrypt sensitive data in non-EU countries, and ensure that those countries can maintain adequate level of data protection according to the GDPR mandates.
  • Recommendations
  • Compliance

The Schrems II ruling underscores the need to ensure personal and sensitive data is protected under GDPR, when it is transferred to/from EU and other non-EU countries. As a result of the ruling European Data Protection Board (EDPB) recommends a six-step plan for continually assessing and protecting global data flows in-line with EU data privacy regulations.

Step 1: Know your data transfers

The first step is to ensure that you have a record of all data transfers with other countries outside the EU logging the series of processors and sub-processors. You must verify that the data you transfer is adequate, relevant and limited to what is necessary to be processed in the third country.

Step 2: Identify the transfer tools you are relying on

The second step is to identify the data transfer tools you are relying on among those listed in Chapter V of GDPR, and take decisions relating to some or all of the third countries to which you are transferring data, that they offer adequate level of protection of personal data.

Step 3: Assess whether the transfer tool is sufficient to meet GDPR (article 46) requirements

The transfer tool must ensure that the level of protection guaranteed by GDPR within the EU countries is as good in the third country outside the EU. Your assessment should take into consideration all the actors participating in the data transfer (e.g. controllers, processors and sub-processors) processing the data in third-countries.

Step 4: Adopt supplementary measures

If the assessment in step 3 has revealed that the transfer tool is not effective, then you will need to consider supplementary measures which, when added to the safeguards could ensure the same level of safeguards guaranteed within the EU are enforced for external data transfers.

Step 5: Procedural steps if you have identified supplementary measures

You may have to take these supplementary measures, if the primary measures used by the data transfer tools are not sufficient to protect the data.

Step 6: Re-evaluate at appropriate intervals

You must monitor on an ongoing basis, and where appropriate in collaboration with data importers in the third countries to which you have transferred data, put in sufficient mechanisms to promptly suspend data transfers, if the data importer breached the contract.

Thales enables organizations to maintain compliance with GDPR and adhere to the European Data Protection Board (EDPB) recommendations for adopting Schrems II ruling using the six-step plan for continually assessing and protecting global data flows.

The CipherTrust Data Security Platform unifies data discovery, classification, data protection, and unprecedented granular access controls with centralized key management under your control – all on a single platform. It enables organizations to deploy bring your own encryption (BYOE) and tokenization policies to protect sensitive data at rest in both EU (data exporter) and non-EU countries (data processors).

CipherTrust Data Security Platform

 

  • Discover: Before data is transferred out of EU, data exporters must be able to discover sensitive data records wherever they reside and classify them based on GDPR compliance requirements. CipherTrust Data Discovery and Classification enables organizations to get complete visibility into sensitive data on-premises and in the cloud, and then apply appropriate data protection measures as outlined by GDPR.
  • Protect: Once the data exporter knows where sensitive data resides, they can protect that data with encryption and tokenization solutions provided by CipherTrust Transparent Encryption and CipherTrust Tokenization before it moves to downstream data importers in other non-EU countries, and provide the same level of data protection in those countries too.
  • Control: Every data security regulation including GDPR requires organizations to control access to data, centralize key management services, and monitor authorized and unauthorized access to data and encryption keys. CipherTrust Manager and CipherTrust Cloud Key Manager enable data exporters and importers of EU to maintain control over keys and security policies across on-premises and multi-cloud environments.

Related Resources

Are You Ready for GDPR? - Paper

Are You Ready for GDPR? - Paper

GDPR mandates the procedures and dictates the consequences regarding data breaches and notification.

GDPR Compliance in Multi-cloud Environments - eBook

GDPR Compliance in Multi-cloud Environments - eBook

The GDPR, which went into effect in May 2018, aims to protect the privacy of EU citizens. Any such data that you hold across your cloud environment(s) is ultimately your responsibility and under your ownership, leaving you subject to potential scrutiny under the new mandates. ...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

その他の主要なデータ保護とセキュリティ規制

GDPR

規制
アクティブ ナウ

これまでで最も包括的なデータプライバシー基準とされるGDPRは、組織がどこの国にあろうとも、EU市民の個人データを保持する全ての組織に対応を求められます。

PCI DSS

必須
アクティブ ナウ

クレジットカード及びデビットカードの決済処理事業者は、アカウントデータの処理、保存および送信に関する厳格なPCIDSSコンプライアンス要件に準拠する必要があります。

データ漏えい通知法

規制
アクティブ ナウ

個人情報漏えいが発生した場合に、データ侵害報告義務の要件は、世界中の国々によって制定されています。それは管轄国で違いはありますが、ほぼ全てに「セーフハーバー」条項が含まれています。