Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Working Together to Navigate Changing Data Privacy Regulations

Stephen_Spector

Guest Post: Daren Glenister, Field CTO, Intralinks

Intralinks.png

New privacy regulations present profound implications for all businesses that operate on a global scale. These regulatory reforms will force changes in business strategy and processes, and are having a serious impact on the adoption of cloud-based solutions.

Technology does not have all the answers. Companies will have to take a more comprehensive approach to data protection and privacy that includes changes for people, process and technologies. However, businesses will need options, since data sovereignty laws are unlikely to be consistent across different regions. To help multi-national organizations conduct “business as usual” and comply with global data privacy laws, technology solutions providers will need to band together to solve the multiple requirements of compliance.

Regulatory roll call

Two data privacy issues are currently looming on the horizon in the European Union (EU): the General Data Protection Regulation (GDPR) and EU-US Privacy Shield.

GDPR, the EU’s sweeping new data privacy reform legislation, now has an official start date: May 25, 2018. Four years in the making, the GDPR presents the most ambitious and comprehensive changes to data protection rules in the last 20 years. The regulations apply to almost all private sector processing of certain Personally Identifiable Information (PII) related to EU citizens by organizations operating in the EU or by organizations outside the EU that handle EU citizen PII. The maximum fines for non-compliance are a potentially crippling 4% of the organization’s worldwide turnover. The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analyzed the GDPR’s requirements in relation to their processing of personal data, and that they have implemented a system or program that allows them to achieve compliance.

While GDPR is a done deal with a hard deadline, the other shoe hasn’t yet dropped regarding the fate of the EU-US Privacy Shield, a framework designed to replace the now-invalidated Safe Harbor pact. This framework governs the mechanisms by which EU citizen data is transferred to the United States and accessed by companies and law enforcement. The EU-US Privacy Shield is still not deemed adequate by an influential EU Parliamentary group, the Article 29 Work Party, and as such, cannot be relied upon until it passes that test in the EU court. The details of this new framework need to be provided and assessed. Presently, there are no guarantees that the new provisions of Privacy Shield will hold up in a European court.

Online privacy is not just a subject of transatlantic debate. Concern about these issues is gathering steam around the world, including in Africa, the Middle East and Asia. What happens between Europe and the US has international implications, as it has the power to shape the global data sovereignty debate for years to come.

Tackling data sovereignty

Increasingly, data privacy laws require companies to exercise greater control over data and to follow complex rules that spell out exactly where data is stored and processed. From a data privacy perspective, data location matters, because it can determine which jurisdiction has authority over data. Companies will also have to make multiple decisions and position themselves to be in compliance with varying laws in many jurisdictions – some in direct conflict with each other. Doing this successfully will take experience, judgment and global awareness. Further, complying with global data privacy laws cannot be achieved by a single, straightforward technology or software system. Indeed, as is true with many governance and compliance issues, success will often hinge on organizations educating their employees and adjusting business processes – technology can help, but is not a panacea.

Almost every company has some customer data stored on third-party cloud systems. Considering these new regulations, organizations should seek vendor partners who can demonstrate very strong capabilities in the compliant protection of information across the complete content lifecycle, and select technologies that work together to meet an organization’s comprehensive needs. Currently there is no magic bullet for data privacy. Forward-thinking organizations that understand data privacy complexities and the risk of non-compliance will invest in compatible technologies focused on protecting data at all stages – at rest, in use and in motion - in order to protect data and get more work done across geographical borders.

Senior Manager, Cloud Online Marketing
  • HPE Cloud
0 Kudos
About the Author

Stephen_Spector

I manage the HPE Helion social media and website teams promoting the enterprise cloud solutions at HPE for hybrid, public, and private clouds. I was previously at Dell promoting their Cloud solutions and was the open source community manager for OpenStack and Xen.org at Rackspace and Citrix Systems. While at Citrix Systems, I founded the Citrix Developer Network, developed global alliance and licensing programs, and even once added audio to the DOS ICA client with assembler. Follow me at @SpectorID

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all