Post Safe Harbor … Next Steps for EU Organisations
15th October 2015
Updated 31.07.2020 … see below
Over the last few weeks, you’ve probably seen ongoing discussions about the European Court of Justice (ECJ) declaring that the US “Safe Harbor” agreement used by more than 4,000 companies is now invalid.
If you are based in the EU, why might this be relevant to you and your Information Security Management System? In the increasingly “cloudy” world which we work within, many companies are likely to have at least some exposure to software or a solution provided by a US-based provider, whether for financial, data storage, telecoms, HR or some other purpose. This also includes most of the common social media platforms, including Facebook, Twitter and LinkedIn, which may be used for marketing or customer service activities. Such providers self-certify themselves against the US Safe Harbor agreement, which was designed to provide reassurance about data transfers between the European Union and the USA.
But not anymore. The ECJ highlighted a number of concerns in its judgement, including the lack of an acceptable complaints mechanism for EU citizens, and the potential interference in EU citizen data by the US intelligence services.
Now is a timely moment for EU organisations to review and understand where their data is. Once you understand the suppliers involved, seek to identify where their physical data centres and support locations are, and from there understand the data protection frameworks. It may be that your data is non-personal or of low sensitivity in which case you may not be too concerned about understanding these characteristics, but if it does include personal, financial or commercially confidential information then your organisation should take an informed decision on where this data should reside.
We expect that the number of US Corporations opening up EU-based data centres in the near future is likely to increase as a direct result of this judgement.
If you have (or are working towards) ISO27001 certification for information security, this news should have you reaching for your risk assessments to ensure that they remain an accurate representation of your post-Safe Harbor decisions. The recently introduced ISO27018 risk framework for personal data in the cloud presents organisations with a sensible means to understand and record the relevant outputs of this discussion, from the location of physical data centres and support locations to the data protection framework and legislative frameworks that apply.
The InfoSaaS risk management solution is already aligned to ISO27001:2013 and additionally includes relevant threats and controls from the cloud personal data framework ISO27018:2014. If you’re seeking a more effective method to keep your organisation’s valuable data assets safe – including ensuring that they are not being unwittingly exposed to unacceptable international data protection or surveillance – take a look at our software demo.
And, before anyone asks, we’re a UK-registered company using UK-based data centres! For our international customers, they can choose between our UK solutions or request an in-territory installation which may better align with the specific regulatory requirements of the countries in which they operate.
So, another chapter is upon us courtesy of 2Schrems II” with Privacy Shield invalidated by the ECJ (European Court of Justice). Whilst the UK and European Union decide what is the best approach to replace it, take a look at the latest guidance from the ICO here.