Privacy Ref Blog

EU-US Privacy Shield is coming. Now what?

There seems to be a light at the end of the tunnel for organizations previously exporting personal information from the EU to the US under Safe Harbor, the EU-US Privacy Shield. Unfortunately the details of Privacy Shield are not yet available, so what is a privacy officer to do to prepare for utilizing the new agreement?

Take inventory

Whatever Privacy Shield requires of organizations, it is a sure bet that you will need to know what EU personal data you are collecting and exporting to the US. You will also need to know how it is protected, processed, shared, and destroyed. This information will allow you to make the determination of whether your organization will be Privacy Shield compliant or if some remediation is required.

How is a data inventory established?

The process of creating a data inventory can be tedious and time consuming, If your organization does not have one, there are various approaches to collecting the information.

One method is to create a survey to ask process and application owners about the data they use. The data owners will come from various parts of your organization. Each will have their own frame of reference, so they will all interpret the questions in the survey a bit differently. For example, consider asking the question “where is the data stored?” of a business department manager and an IT manager. One will say “in a database” while the other might respond with a table name in the database or a server name.

To address this, the person or group coordinating the inventory will need to be readily and preemptively available to those filling out the survey. Interim check-ins with the respondents to review their survey responses will improve the quality and uniformity of the responses.

The most common data inventory survey answer: “I don’t know”

A difficulty that a survey approach must overcome is that the depth of knowledge that is required of the respondents. You are trying to get a wide variety of characteristics about the data items that a single person may not have. A business manager, for example, will generally not know much about data storage, protections, or sharing. These folks know the applications meet their processing needs and rely on other organizations for storage and protections . Similarly, and IT person may not know why the data is collected or what roles access the information, that is a business concern.

Legacy applications present another concern. The knowledge of how a business process or application works often has walked out the door with a departing employee even if documentation is up-to-date.

So, the most common answer to a survey question may easily turn out to be “I don’t know”. This will require the group managing the survey process to encourage respondents to reach out to other groups or individuals. Alternatively, a follow-up with face-to-face meetings to gather the information may be done by the coordinating group.

Keeping the data inventory up-to-date

Reviewing the survey information and placing it a format that is useful is discussion left for another day. However, once the inventory is created, it is vital that it be kept current.

To keep the information current simply send the inventory information you have collected to each data owner on a quarterly basis requesting them to provide updates.

Using the inventory

Data inventories can certainly be used for compliance decisions such as will be needed with the Privacy Shield. The inventories can be also be used to support other decisions such as those made if (when?) a data breach occurs.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on February 5, 2016 by Bob Siegel
Tags: ,

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


August 19, 2016

New Offering for Adaptive Privacy
Privacy Ref is now offering the Adaptive Privacy Office. This offering allows you to utilize the services you need to bring your program to the next level. Read more about the offering here.

Latest Blog Posts

October 14, 2016

Facebook knows a lot
A few weeks ago, I was auditing a CIPP/US class that Bob Siegel was teaching on behalf of the IAPP.  Someone brought up the idea of openness and allowing individuals access to the data you have about them.  At this point, Bob discussed the principles behind this, such as how the OECD Guidelines approach it.  Bob also mentioned that under GDPR (and the EU Privacy Directive) a user should be able to see and correct information an organization has about them. Bob then mentioned it would be interesting to see what would happen if I asked a company about what data they had about me.  I immediately thought of Facebook. Continue reading this post...

July 25, 2016

Social Engineering is a Massive Problem
Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts.  The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them.  The people and groups helping them are not who you think.  They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data. Continue reading this post...

Other Recent Posts