cloud compliance

Safe Harbor Isn’t Over: Steps You Can Take

ByFebruary 8, 2016
Safe HarborAs was covered previously, there is a new Safe Harbor agreement tentatively in place called EU-U.S. Privacy Shield, which is being reviewed for approval by the Article 29 Working Party . We also know that there are already folks out there looking to take the new framework to court within the EU, which may result in another nullification if the EU Courts feel that the privacy controls are still not addressed.

Organizations should be watching this very carefully and tracking this as a very real risk. One of the main functions of good compliance and IT governance is risk mitigation. Below are some very easy steps that will help keep your options open, if we have another issue with the new framework.

While this work is being approved and formalized, and as we all wait for the eventual lawsuits around this new legislation to occur, organizations should be looking at and considering mitigation plans. We have a reprieve and should use it mitigate risk; the risk of another breakdown of data laws will be crippling to organizations.

Steps should be taken to understand where your organization’s data resides, in order to address data sovereignty and the collection of information. Question:

  • Where is your Cloud Vendor storing data?
  • Does it “float” in a cloud to differing geographical regions?
  • Is it under your control or the control of an Cloud Vendor?
And then act:

  • Reduce analytics and wide data collection to only what is required to provide services.
  • Ensure you have clear privacy notices and policies in place.
  • Inform – and get approval – from customers to use their personal information. That means being honest about what you plan to do with collected data.
  • Be cognitive of where this data is being stored.
  • Review any subcontracted services to ensure they also conform to your agreements – don’t get caught on the wrong side of an audit because your Cloud Vendor or vendors are not bound by Business Agreements to handle data to the same standards as your organization.
If we know there is a risk of another framework breakdown why not segment the data if it’s feasible?

iland takes data sovereignty very seriously, not just for our own internal functions, but that of our customers. We take it so seriously that we have our own customer-facing Compliance and Security departments that do nothing but work to ensure that customer’s compliancy and security requirements are aligned – not just at the Cloud Vendor level but also within the customer’s organization.

With many cloud providers, you’d be lucky to get a copy of their auditor reports. Would they be willing to help you perform your governance reviews or sit next to you during audits? Ask.

This week’s news was very welcome: we have a tentative agreement and roadmap in place with Privacy Shield! Just remember that we still have an identified risk and some relatively easy steps can be taken to reduce that risk. Talk with your Compliance and Legal teams as well as your Cloud’s Compliance Department to see how they address these concerns and how they can demonstrate adherence to the new Privacy Shield framework and what they are doing to mitigate risks; and talk to us here at iland!
Frank Krieger

Frank Krieger

With a career in IT spanning 16 years and over 10 years of ITIL and compliance background, Frank Krieger manages the iland compliance office in the company’s Houston headquarters. Frank received his degree in Computer Information Systems from Northern Michigan University and has an extensive background in enterprise ITIL and compliance including managing service organizations for Fortune 10 companies. Frank has held ITIL Practitioner status and is currently a certificated ITIL Expert. These achievements represent not only an in-depth understanding of process and service management, but also extensive compliance knowledge. When not busy pouring over frameworks and audit requirements, he spends time traveling with his wife, Jacque, playing with his corgi and is an avid Minecraft player.