It’s been a busy few months in the fast-moving world of data security. The new General Data Protection Regulation (GDPR) that comes into force on May 25 is keeping law firms, IT professionals and legal technology providers up late trying to answer a bunch of new and complicated questions.
GDPR is getting a lot of coverage across Europe. But what about something called the EU-US Privacy Shield?
GDPR: european regulation, global scope
The goal of GDPR is to protect all private data. So any organization that stores or processes personal information about European citizens, whether or not they reside in an EU state, have to comply with the new regulation.
What makes GDPR unique is its broad scope. Both businesses based in the EU and those with no physical or legal presence in the EU fall under the regulation. It also applies to companies that either do business in Europe or offer goods and services online that EU residents buy. Specifically, Article 3 of the regulations says that if a company gathers personal information from someone in an EU country, it falls under the new regulation. But this law only applies to consumers who are in the EU when the data is collected.
It’s also important to remember that GDPR doesn’t just cover financial transactions. Even if you’re collecting personal data as part of a marketing survey, GDPR protection rules apply. As far as marketing goes, only non-EU companies that specifically target someone in a European country have to comply with GDPR. Generic marketing, including content that isn’t in the language of a specific EU member state, isn’t covered by GDPR.
Meet GDPR’s american cousin: the connection to the privacy shield
Now we have GDPR, a comprehensive data protection law regulating the processing of European personally identifiable information around the world. But even though GDPR will place many restrictions on non-European businesses, the European Union will still need to make sure that data protection standards in non-EU countries are enforced.
This is where EU-US Privacy Shield comes into play. Companies that participate in the Privacy Shield agreement fulfill the EU’s data protection requirements. Privacy Shield is a framework for transatlantic data flows that requires US-based businesses to protect EU citizens’ personal data.
In short, Privacy Shield certification is a step toward comprehensive EU data protection.
A peek behind the shield: how it works
The Privacy Shield has set up monitoring and enforcement mechanisms, through the US Department of Commerce and Federal Trade Commission (FTC). In order to protect the personal information of European citizens, the shield sets strict limits on access and requirements for overseeing this access. It also promotes organizational transparency, and makes it possible for EU citizens who file complaints against US companies to quickly resolve their disputes.
The Privacy Shield is more demanding than its predecessor, the Safe Harbor provisions. Since Privacy Shield involves self-certification and verification, it will mean extra planning on the part of US companies. Many firms will need to update their privacy policies, since most US-based companies’ current policies are too vague to comply with the Privacy Shield.
Does privacy shield certification mean GDPR compliance?
Not automatically. Privacy Shield only ensures that a company has sufficient data protection laws to do business in the EU. But there are several GDPR requirements that go beyond this narrow focus. Privacy Shield has also been criticized for not providing adequate protection for transferred data. The European Data Protection Supervisor (EDPS) and the European Commission have even rejected Privacy Shield.
Even so, more than 500 companies, including Microsoft and Google, have been approved under Privacy Shield by the US government, and over 1,000 applications are being considered.
US companies need to keep in mind that some European customers and partners believe that their data will not leave the EU. And EU-based consumers and collaborators may object to having their data transferred to a US-based data center, especially since the future of Privacy Shield is very much up in the air.
To play it safe, American companies that have relationships with European firms and citizens may need to take additional steps, such as hiring a dedicated Data Protection Officer. And American-based companies should figure out where their data has come from, where it is today and where it’s headed. Preparing for GDPR means taking the time to develop and implement a business plan based on the data that a company’s using. It’s also important to develop ways to track data, as it moves from jurisdiction to jurisdiction. Once non-European companies address all these issues they’ll have a better understanding of the security they need to protect data and be GDPR-compliant.
After all, GDPR isn’t a suggestion. It’s a directive that could result in fines of €20 million or up to 4% of your annual global turnover. How many companies out there can afford to not be prepared for GDPR?
From Kobi Afoota
Kobi has over 10 years of experience in information security management. An expert in his field, he is currently hibob's Information Security Manager.