Expert privacy shield comment - Iron Mountain
August 2016 by Gavin Siggers, Director of Professional Services, Iron Mountain
Following the recent approval of the EU-US Privacy Shield, I just wanted to get in touch with expert comment from Gavin Siggers, Director of Professional Services at Iron Mountain.
Businesses, understandably, have been in limbo over international transfer of personal data since Safe Harbour was rejected back in October 2015. After it was decided the proposed regulations didn’t provide adequate protection for the personal data of EU citizens in the US, many businesses have awaited the replacement and its expectations for handling this valuable data with caution.
This month’s approval of the new policy from the European Parliament brings Privacy Shield into action. The policy will guide the way US and EU organisations store, share and protect the personal data of EU citizens. This is in a bid to keep data safe, with stipulated guidance around stronger protection of TransAtlantic data flow and the fundamental rights of individuals whose data is transferred. The approved regulation also has a positive economic impact, as it supports billions of dollars worth of trade and facilitates international data transfers – essential to the British economy.
In addition to increased regulatory change, Brexit has also presented additional complexities. Despite the current uncertainty of how Brexit will impact Privacy Shield in the UK, organisations still need to ensure they are preparing to adhere to its stringent requirements. The initial step in this preparation process is firstly to understand what Privacy Shield demands of organisations when handling data across borders, as well as the ramifications of non-compliance, including fines of up to 300,000 euros.
For all data exports to the US there needs to be a full examination of which data transfer and protection processes will be affected by Privacy Shield – including online social plugins and analytical tools from America, such as Dropbox. These data export programmes put organisations in a position of less obvious non-compliance with many companies being unaware of the risks. To overcome the hidden threats and consequently the prevention of hefty fines, organisations need to ensure all exports from the US are aligned with the regulations of Privacy Shield.
Ultimately, businesses need to train and educate both themselves and their employees on the principles of data protection, including the expectations of Privacy Shield. Implementing a data management programme to cope with privacy changes right away and ensuring a cultural shift within organisations towards new more stringent regulatory demands for data protection are crucial steps for businesses to protect their reputations and bottom-lines.