Privacy Ref Blog

EU-US Privacy Shield is coming. Now what?

There seems to be a light at the end of the tunnel for organizations previously exporting personal information from the EU to the US under Safe Harbor, the EU-US Privacy Shield. Unfortunately the details of Privacy Shield are not yet available, so what is a privacy officer to do to prepare for utilizing the new agreement?

Take inventory

Whatever Privacy Shield requires of organizations, it is a sure bet that you will need to know what EU personal data you are collecting and exporting to the US. You will also need to know how it is protected, processed, shared, and destroyed. This information will allow you to make the determination of whether your organization will be Privacy Shield compliant or if some remediation is required.

How is a data inventory established?

The process of creating a data inventory can be tedious and time consuming, If your organization does not have one, there are various approaches to collecting the information.

One method is to create a survey to ask process and application owners about the data they use. The data owners will come from various parts of your organization. Each will have their own frame of reference, so they will all interpret the questions in the survey a bit differently. For example, consider asking the question “where is the data stored?” of a business department manager and an IT manager. One will say “in a database” while the other might respond with a table name in the database or a server name.

To address this, the person or group coordinating the inventory will need to be readily and preemptively available to those filling out the survey. Interim check-ins with the respondents to review their survey responses will improve the quality and uniformity of the responses.

The most common data inventory survey answer: “I don’t know”

A difficulty that a survey approach must overcome is that the depth of knowledge that is required of the respondents. You are trying to get a wide variety of characteristics about the data items that a single person may not have. A business manager, for example, will generally not know much about data storage, protections, or sharing. These folks know the applications meet their processing needs and rely on other organizations for storage and protections . Similarly, and IT person may not know why the data is collected or what roles access the information, that is a business concern.

Legacy applications present another concern. The knowledge of how a business process or application works often has walked out the door with a departing employee even if documentation is up-to-date.

So, the most common answer to a survey question may easily turn out to be “I don’t know”. This will require the group managing the survey process to encourage respondents to reach out to other groups or individuals. Alternatively, a follow-up with face-to-face meetings to gather the information may be done by the coordinating group.

Keeping the data inventory up-to-date

Reviewing the survey information and placing it a format that is useful is discussion left for another day. However, once the inventory is created, it is vital that it be kept current.

To keep the information current simply send the inventory information you have collected to each data owner on a quarterly basis requesting them to provide updates.

Using the inventory

Data inventories can certainly be used for compliance decisions such as will be needed with the Privacy Shield. The inventories can be also be used to support other decisions such as those made if (when?) a data breach occurs.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Bob Siegel
Tags: ,

« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

March 31, 2016

Privacy Ref Announces Accountability Implementation Services
Learn more about Privacy Ref's newest offering and partnership with Nymity Inc.

Latest Blog Posts

May 25, 2016

Playing the Privacy Metagame
If you attended our most recent quarterly data breach review, you probably heard a new term: “metagame.”  The idea, put in its simplest form, is to take information from outside a scenario and use it to influence your choices.  It is amazing how using information that is not necessarily inside your environment can allow you to adjust and prepare for a lot of scenarios.  This in turn keeps you ahead of the game. Continue reading this post...

May 24, 2016

What is the difference between privacy and security?
One question that I am frequently asked is “what is the difference between privacy and security?” It sounds simple enough, but the response often gets complicated. Maybe an analogy will help. Continue reading this post...

Other Recent Posts

PRIVACY REF