Privacy Ref Blog

EU-US Privacy Shield is coming. Now what?

There seems to be a light at the end of the tunnel for organizations previously exporting personal information from the EU to the US under Safe Harbor, the EU-US Privacy Shield. Unfortunately the details of Privacy Shield are not yet available, so what is a privacy officer to do to prepare for utilizing the new agreement?

Take inventory

Whatever Privacy Shield requires of organizations, it is a sure bet that you will need to know what EU personal data you are collecting and exporting to the US. You will also need to know how it is protected, processed, shared, and destroyed. This information will allow you to make the determination of whether your organization will be Privacy Shield compliant or if some remediation is required.

How is a data inventory established?

The process of creating a data inventory can be tedious and time consuming, If your organization does not have one, there are various approaches to collecting the information.

One method is to create a survey to ask process and application owners about the data they use. The data owners will come from various parts of your organization. Each will have their own frame of reference, so they will all interpret the questions in the survey a bit differently. For example, consider asking the question “where is the data stored?” of a business department manager and an IT manager. One will say “in a database” while the other might respond with a table name in the database or a server name.

To address this, the person or group coordinating the inventory will need to be readily and preemptively available to those filling out the survey. Interim check-ins with the respondents to review their survey responses will improve the quality and uniformity of the responses.

The most common data inventory survey answer: “I don’t know”

A difficulty that a survey approach must overcome is that the depth of knowledge that is required of the respondents. You are trying to get a wide variety of characteristics about the data items that a single person may not have. A business manager, for example, will generally not know much about data storage, protections, or sharing. These folks know the applications meet their processing needs and rely on other organizations for storage and protections . Similarly, and IT person may not know why the data is collected or what roles access the information, that is a business concern.

Legacy applications present another concern. The knowledge of how a business process or application works often has walked out the door with a departing employee even if documentation is up-to-date.

So, the most common answer to a survey question may easily turn out to be “I don’t know”. This will require the group managing the survey process to encourage respondents to reach out to other groups or individuals. Alternatively, a follow-up with face-to-face meetings to gather the information may be done by the coordinating group.

Keeping the data inventory up-to-date

Reviewing the survey information and placing it a format that is useful is discussion left for another day. However, once the inventory is created, it is vital that it be kept current.

To keep the information current simply send the inventory information you have collected to each data owner on a quarterly basis requesting them to provide updates.

Using the inventory

Data inventories can certainly be used for compliance decisions such as will be needed with the Privacy Shield. The inventories can be also be used to support other decisions such as those made if (when?) a data breach occurs.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Bob Siegel
Tags: ,

« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

September 18, 2017

Burying your head in the sand won’t make Data Protection requirements go away
Recently, I had dinner with  a colleague that I had not seen in several years. Their company, a multinational with global operations, had undergone several changes in that time. When the dust settled, this friend had been tapped as "privacy manager". Along with corporate counsel (part time for privacy), they decided that, even under GDPR, they did not need a Privacy / Data Protection Officer . Huh? Continue reading this post...

August 14, 2017

Privacy Ref and CyberDefenses Bring Privacy and Security Together
There is a saying that you can have security without privacy, but you cannot have privacy without security. While privacy and security are both concerned with the protection of information held by an organization, security provides the means to meet the business requirements identified to meet privacy demands from regulators, customers, employees, and other stakeholders. Privacy Ref works with our clients to improve their business and operational practices for protecting personal information. Increasingly our clients’ have been looking for services to supplement their security practices, tools, and expertise. CyberDefenses fills this role. Continue reading this post...

Other Recent Posts

PRIVACY REF