Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
As was covered previously, there is a new Safe Harbor agreement tentatively in place called EU-U.S. Privacy Shield, which is being reviewed for approval by the Article 29 Working Party. We also know that there are already folks out there looking to take the new framework to court within the EU, which may result in another nullification if the EU courts feel that the privacy controls are still not addressed.
Organizations should be watching this very carefully and tracking it as a real risk. One of the main functions of good compliance and IT governance is risk mitigation. Below are some easy steps that will help keep your options open if we have another issue with the new framework.
While this work is being approved and formalized, and as we all wait for the eventual lawsuits around this new legislation to occur, organizations should be looking at and considering mitigation plans. We have a reprieve and should use it to mitigate risk; another breakdown of data laws will be crippling to organizations.
Steps should be taken to understand where your organization’s data resides, in order to address data sovereignty and the collection of information. First, a few questions:
- Where is your cloud vendor storing data?
- Does it “float” in a cloud to different geographical regions?
- Is it under your control or the control of an cloud vendor?
Next act:
- Reduce analytics and wide data collection to only what is required to provide services.
- Ensure you have clear privacy notices and policies in place.
- Inform and get approval from customers to use their personal information. That means being honest about what you plan to do with collected data.
- Be cognizant of where this data is being stored.
- Review any subcontracted services to ensure they also conform to your agreements. Don’t get caught on the wrong side of an audit because your cloud vendor or vendors are not bound by business agreements to handle data to the same standards as your organization.
If we know there is a risk of another framework breakdown why not segment the data if it’s feasible?
11:11 Systems takes data sovereignty very seriously, not just for our internal functions but those of our customers. We take it so seriously that we have our own customer-facing compliance and security departments that do nothing but work to ensure that customers’ compliance and security requirements are aligned – not just at the cloud vendor level but also within the customer’s organization.
With many cloud providers, you’d be lucky to get a copy of their auditor reports. Would they be willing to help you perform your governance reviews or sit next to you during audits? Ask.
This week’s news was very welcome: we have a tentative agreement and roadmap in place with Privacy Shield! Just remember that we still have an identified risk and some relatively easy steps can be taken to reduce that risk. Talk with your compliance and legal teams as well as your cloud’s compliance department to see how they address these concerns. Understand how they can demonstrate adherence to the new Privacy Shield framework and what they are doing to mitigate risks. Talk to us here at 11:11!