Important enough for privacy to take a look at this - don't miss my earlier posts on the invalidation (here) and the suggested Privacy Shield (here):
Not much time - here is the one slide summary:
More time? Read on:
The Privacy Shield agreement was necessary after the EU Courts invalidated the long term Safe Harbor Agreement between the USA and the EU. It was proposed back in February of 2016 and is now in place with few days to spare. In Europe privacy advocates and groups think that Privacy Shield is not going far enough, so the next court challenge is likely - but for now Privacy Shield is a valid agreement.
What does it mean for CxOs?
No matter if looking at this from a people side, as CHRO or as a technology executive (CIO, CTO), the recommendation has to be clear, if an enterprise does business or plans to do business on both sides of the Atlantic:
- Plan / Operate local data centers: Local data centers need to be in the near future, in case they are not yet a reality, as the only way to be compliant in the medium term.
- Separate Data / Access: The separation of data and access to data in these data centers needs to be looked at, be implemented and monitored. Expect BI / DataWarehousing etc. application to require a deeper look.
- Validate / Separate Applications: The next step will be to change existing applications - no matter if built in house or bought of the shelf, to make sure that the new modus operandi is followed and stays in place.
- Keep an eye on legislation: This will not be the last wrinkle, so CxOs should learn and not be taken by surprise (again?) by future trans-Atlantic privacy changes.
MyPOV
The good news for enterprises is regulatory certainty - for now. It's a good time to check internal applications on compliance and have a conversation with your SaaS vendors on compliance. If an enterprises does not have data centers on both sides of the Atlantic - it's time to get them in place, or long term write off the business on the other continent. We expect privacy regulation to keep evolving, actually on both sides of the Atlantic, with a new administration coming in the US this year. As always - start with the business acumen, and then tackle the hard parts, which is data center location and application and data segregation. The good news is - there are many data center vendors / IaaS vendors easy to get more utilization in their data centers. The bad news is - almost no SaaS vendor is ready for data separation, while allowing a legal global view, we expect it will take a few more quarters for vendors to step up to the challenge and support this in product. Till then (or new changes in transatlantic privacy) - stay tuned.
Also follow up the view of my colleague Steve Lockstep on the topic and privacy in general here.
Also follow up the view of my colleague Steve Lockstep on the topic and privacy in general here.