In November 2015 I wrote about the implications of the collapse of Safe Harbour, the agreement which meant that US firms could do business with EU firms without having to adhere exactly with EU data protection regulations which were significantly different. Safe Harbour was never intended to be a shortcut, rather a way for US and EU firms to transact business more smoothly.
Yesterday, many firms trading on both sides of the pond breathed a big sigh of relief as a new Safe Harbour agreement, called the “EU-US Privacy Shield”, was announced. The new agreement should come into effect in about three months and is rumoured to be an improvement on the previous agreement, although I await more details before passing judgment.
So firms don’t have to make alternative arrangements for the transfer and storage of their European data into the US. Great, right? Well yes, in the short term, but in light of the forthcoming General Data Protection Regulation, I think it would be a very wise firm that took this opportunity to review their long term data protection strategy and make sure that they were fulfilling their responsibilities to their customers and employees by protecting data adequately.
A good exercise for any firm would be to understand what data they own and where it is currently stored and processed. By reviewing these processes and understanding the data estate, firms can identify and address weaknesses in the process and gaps in knowledge. Tagging data can be a useful tool to assist with the tracking process.
Whilst the pressure is off now could be a good time to review your information governance strategy and consent to share policies. By clearly including consent to share in your contracts, you ensure that employees and investors are consenting to share their data at the outset. This consent can be reviewed periodically or revoked at any time, which is when the tagging will come in useful.
I’d always advocate thorough due diligence on any third party suppliers that will have access to, store or process your firm’s data, using the most stringent data protection regulations as a yardstick. If your firm is legally obliged to comply, then your third party suppliers must too.
Finally, and as much for good cybersecurity practice as for data protection regulation requirements, if you are gathering, storing, processing or transferring personal data about your employees or your investors, think seriously about data encryption, tokenising or pseudo-anonymising that data. If anything happens to it once it leaves your network, you can be sure that both the regulators and the owner of the personal data will be happy.
Data protection is your responsibility, it’s something to be taken seriously and there are lots of ways to do just that.