This week the members of the European Union approved the EU-US Privacy Shield. The Privacy Shield is a data exchange agreement between the US Department of Commerce and the European Commission and establishes new principles to regulate data transfers from the EU to the US. Under this Privacy Shield, US companies handling personal data of European residents must proof that they comply with the new EU’s General Data Protection Regulation (GDPR) that will become effective in May 2018. To show compliance with the European data protection rules, US companies must officially register to participate in the Privacy Shield. Any complaint from European citizens needs to be processed within 45 days and the Privacy Shield should be reassessed each year.
The end of Safe Harbor
The EU-US Privacy Shield replaces the European Commission's Safe Harbor agreement from 2000 that was invalidated last year when the European Court ruled that the US government was unable to protect the privacy of European citizens. The new Privacy Shield aims to re-establish the insurance that US companies will meet the European safety standards. US companies will only be allowed to process and store data of European citizens if they can proof they comply to the strict rules of the GDPR.
At the beginning of May 2018 the GDPR will regulate all activities involving the personal data of EU citizens, anywhere in the world. Non-compliance will be fined with fines of up to EUR 20 million per violation or 4% of annual turnover. Most obligations of the Privacy Shield are imposed on US organizations, but the strict level of monitoring and policing enforced by the GDPR will challenge legal and IT departments all over the world. To name just a few:
- Strict data breach notifications: organizations must publish their security failings. Data subjects must be notified of any breaches affecting their unencrypted personal data.
- Insurance of data portability - a concept that protects users from having their data stored in "silos" or closed platforms that are incompatible with one another. Organizations are obligated to offer individuals their personal data in a legible electronic format.
- The obligation to anonymize personal information, as a data subject has the right to request erasure of personal data related to him.
- Insurance that all personal information is protected at all times.
Technology is needed
Companies all over the world should rethink the way they store and use Personally Identifiable Information(PII). There are many tools available to help organizations conduct company-wide privacy and security risk assessments. These are very useful for testing processes and workflows, and comparing the results against requirements for privacy and security regulations will provide valuable insight for improvement. Every organization houses many terabytes of data and in this large volume of information is a large amount of data that is subject to privacy and data protection regulations. But locating PII is not the end of the challenge when you have to transfer or disclose the information and auto-redact or anonymize it.
Advanced text mining technology is able to provide a list with possible PII like names of people, email addresses, phone numbers, SSN, bank account numbers, and many more entities and facts. Auto-redaction can be executed and it is even possible to automatically replace occurrences of personal names and email addresses by pseudonyms. Sometimes, a full report of all redactions is requested for quality control or regulatory purposes, which justifies the use of technology even more! Not using technology will undoubtedly lead to lower quality (PII), the need for a huge labor force, very long processing times and phenomenally high costs.
An effective path to compliance ever stricter privacy and data protection laws begins with assessing where information is located and what needs to be secured and then continues with proven tools for auto-redaction and anonymization.