Computerworld - U.S. multinational companies have been taking a harder look this year at ensuring that their flows of personal data out of Europe are compliant with the European Union's Directive on Data Protection. Why the concern? Some EU data-protection commissioners are stepping up enforcement of the directive, which can mean stalled projects, fines or even jail time for their unlucky corporate victims.
If your company has employees in Europe or collects information from Europeans (through the Web, for example), you may be their next target. So what are your options to get compliant and keep your projects and company out of trouble?
EU officials have provided us with several different options. Which one is right for your company depends on what kind of data flows you have. The following are the main options that chief privacy officers are using:
Transborder data-flow agreements. These are contracts using the model clauses created by the EU. They're signed by the European entity exporting the information and the non-European entity receiving it. For example, a transborder agreement can be a contract among affiliates of your company in Europe, the U.S. and the Asia-Pacific region. Meeting the terms of the model clauses will most likely entail conducting a gap assessment of the data-processing operations involved in the data exchange and resolving any gaps you find. This mechanism works best if your company only has a handful of types of data flows leaving the EU, and those data flows don't change significantly from year to year. If you have dozens of types of data flows or affiliates, however, maintaining dozens of these contracts probably isn't desirable.
Safe Harbor membership. This is the option I see more U.S. companies considering. Joining the U.S. Department of Commerce's Safe Harbor framework entails adopting a new privacy policy based on the seven Safe Harbor principles, conducting a gap assessment of your compliance with the policy, closing the gaps you find and filling out the agency's two-page application. Joining the Safe Harbor is best if you have numerous or changing data flows between the EU and the U.S. But the Safe Harbor doesn't cover data flows from the EU to Asia or most of Latin America, either directly or through the U.S. Transborder agreements are your best, and perhaps only, option for those regions. By the way, U.S. financial institutions and telecommunications companies are ineligible for the Safe Harbor because they aren't regulated by the Federal Trade Commission.
Binding corporate rules. This is a new option that only a few companies have pursued and only a few more are seriously considering. Binding corporate rules are the most comprehensive solution, enabling your company to have one set of documentation that brings into compliance all of your data flows outside Europe. But it's not easy. This option requires all of the policy-revision and gap-resolution steps of the Safe Harbor process, plus obtaining approval from the data-protection commissioner of each EU country from whose citizens you're collecting data. Binding corporate rules are best if you have complex data flows leaving the EU for all parts of the world.
Customer consent. The EU also allows companies to export personal data with the consent of the customer. This route requires you to get customers to sign a form or click a box before you can send their data outside Europe. The EU doesn't allow consent as a sole compliance option for exports of existing employee data, however, because the EU regulators believe employees aren't in a position to say no to these requests. Why don't I see privacy leaders taking this route very often? Because it involves losing customers who don't want to give consent, a result few companies want to experiment with.
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Free Insider Guide