SlideShare a Scribd company logo

Data Without Borders

Nair and Co., profile picture
Nair and Co.

The document discusses the complexities of complying with international privacy laws, particularly those governing personally identifiable information (PII) in the context of businesses operating across multiple countries. It highlights the challenges posed by varying regulations, especially within the European Union, and suggests strategies for U.S. companies to manage these legal requirements, such as maintaining local data and utilizing legal frameworks like Safe Harbor. The importance of integrating governance, risk, and compliance (GRC) solutions in global IT projects for better data management and regulatory adherence is emphasized.

TechnologyNews & Politics
1 of 3
Download to read offline
1
2
3
Data Without Borders Page 1 of 3 ( Sign In/Register for Account | Help ) United States Communities I am a... I want to... Secure Search Products and Services Solutions Downloads Store Support Training Partners About Oracle Technology Network About Profit Magazine Features Profit Magazine For More Information Features Oracle Governance, Risk, and Compliance Solutions Opinion Oracle Master Data Management Solutions Multimedia Gaining Customer Consent Partner News Close Oracle Magazine Archives Profit Magazine Archives Subscribe Write the Editors Data Without Borders With employees and customers in multiple countries, IT Submit an Article managers must answer to a web of privacy laws to keep Advertise international data legal. by Minda Zetlin, February 2012 A company that provides online wellness services landed a contract with a major company with offices in Spain, Germany, and France. It was the kind of sale every executive dreams of. But it came with some very big headaches, too. “Now they’ve got this problem where they have to abide by the privacy regulations in each of these three countries and register with the regulators there,” says Stuart Buglass, director of human capital consulting at Nair & Co., which advises companies on international expansion. The wellness company had walked right into one of the most challenging aspects of international business today: data and privacy laws across international borders. The challenges are considerable. Throughout the world, an evolving mosaic of privacy laws dictate how data must be handled. At issue is personally identifiable information (PII) that can be traced to an individual person (such as name, address, ID number, and job title). Most experts agree that the most-stringent data protection laws are found in the European Union (EU), where the Data Privacy Directive governs all PII use. In general, a company able to deal effectively with the provisions of the EU directive will likely be able to handle privacy laws in other jurisdictions as well. Although the provisions of the Data Privacy Directive hold across the EU, anyone collecting data on European residents must follow the laws of an individual’s country of residency as well—and those laws differ among EU member states. It might seem logical to find the strictest EU privacy laws and comply with those, but the laws are different enough to make that approach impractical. “You can’t have a broad sweep of standards that will satisfy all the different types of legislation,” Buglass says. “You have to actually identify where the data subjects are and which specific legislation applies to them.” Complex Relations One of the EU’s eight “enforceable principles” for privacy protection is that data must not be transferred to countries without adequate legal protection. But that raises the question of what constitutes a data transfer. From a privacy and security standpoint, it makes little difference whether an employee’s name is sent through a network and stored on a server in, say, Russia, or whether a hacker from Russia goes through that same network to view the data while it resides on a server in France. And indeed, the EU defines access to data as a form of transfer, for privacy purposes. While many experts recommend leaving European data in Europe, that strategy is not sufficient to ensure compliance with the law. And it can create unexpected challenges for Americans accustomed to different privacy rules. “Something as innocuous as a personnel directory that can be accessed by company staff outside of Europe can create a problem,” notes Lisa Sotto, head of the privacy and information management practice at Hunton & Williams, a law firm with expertise in intellectual property and international business. To make matters worse, international laws may conflict with each other, especially when it comes to keeping data. In general, European laws require companies to destroy PII as soon as its utility has expired. But in the United States, laws may dictate a different retention period. “If you’ve got a U.S.- based company dealing with data from another country, there may be a conflict,” says Jimma Elliott- Stevens, director of risk assurance services at PwC, a global professional services firm. Meanwhile, the list of nations with strict laws governing the use of PII is growing. In 2011, Costa Rica became the seventh Latin American country to regulate this data. India’s data privacy laws, amended in 2008, are strong enough to draw criticism from U.S. multinationals. But for nations outside the EU, stricter data privacy laws can be good for business. The European Commission has recognized a handful of countries with adequate data privacy protections—among http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
Data Without Borders Page 2 of 3 them Canada and Argentina. Data can be transferred to (or accessed from) countries with laws that offer similar protections to the EU directive. E-mail this page Printer View “It’s interesting to note that a lot of countries coming up with robust sets of legislation are those where there’s a lot of offshoring,” Buglass notes. “India’s privacy law is probably even more robust than that in the EU. It isn’t yet a trusted third country, but if India’s government can prove it can actually enforce these rules, it may be soon.” However, the chance of the U.S. gaining the status of a trusted third country are virtually nil. The American approach is to have different regulations apply in different industries (for instance, the healthcare industry is subject to the Health Insurance Portability and Accountability Act, more commonly known as HIPAA) and different states. “I think the U.S. would have to crumble and be rebuilt to change its entire sectoral approach to regulations,” Elliott-Stevens says. “The U.S. cares about data privacy, and we do have strict laws and regulatory bodies in place. But the way we deal with it is to find commonalities and start there. We negotiate and leverage relationships.” Crossing Borders So what are the options for U.S. companies with employees in countries with stricter privacy laws? One way is to keep all personal data within the country or jurisdiction where it is obtained and prevent any access from outside. Another would be to find a way to certify that data transferred outside the jurisdiction will adhere to local legal strictures. (See “Gaining Customer Consent.”) The first of these options may be the right choice for many multinational companies. Privacy laws do not prevent managers from accessing sales and performance data from outside a territory, as long as IT ensures that PII, such as a customer phone number or employee attendance history, isn’t involved. “Maintaining local management of data is the perfect solution,” Buglass says. “If you haven’t got the luxury of doing that, try to limit the data transfers to certain countries. The risk, obviously, is when you can’t keep track of the data—for instance, if you have a cloud server that jumps from country to country to take advantage of available storage.” Some companies are coping with this by setting up EU-only clouds, he adds. For managers who do need to transfer PII among jurisdictions, there are legal frameworks that make this possible. One is the Safe Harbor arrangement, in which U.S. companies certify that they will abide, for example, by the EU directive when handling PII from an EU country. However, since the EU is counting on the U.S. Federal Trade Commission (FTC) to enforce the Safe Harbor provisions, this option is only available to companies regulated by the FTC. Safe Harbor has been in place for more than a decade, and so far roughly 2,000 U.S. companies have signed on. A second, more difficult option is Binding Corporate Rules, a legal framework in which companies certify that they have put in place corporate rules protecting the privacy of PII. Though created as an alternative to Safe Harbor and model contracts (see below), Binding Corporate Rules is a difficult choice, Sotto says, because it requires getting specific approval for your rules from some individual countries. While many EU countries’ data protection authorities will recognize the blessing of another country’s authority, some EU countries will not. “It’s very hard to implement,” she says. A third solution is to use the model contracts provision of the EU privacy directive. In this case, a contract between European and non-European entities requires the non-European entity to protect the privacy of personal data, Sotto says. Since the European subsidiary of a multinational company is nearly always created as a separate legal entity, the two can sign a binding contract that fulfills the data transfer requirements of the EU privacy directive. “For these solutions, you need to understand the relevant data flows within your company,” Sotto says. “What you’re collecting, the use to which you’re putting the data, and who will have access to it. And ultimately, how and when you will dispose of it.” The Role of IT Inevitably, compliance with global data privacy laws falls to IT—but industry best practices can help. Know your data. Having a precise understanding of the data you have is an essential first step, according to Carolyn Holcomb, partner, risk assurance services, at PwC. “Think about every data element that could be used to identify an individual,” she says. “If you put them all together, there are somewhere in the neighborhood of 60 different elements that are common across the different privacy laws. Make a list of all those data points, and then do a data inventory. Find out exactly where the data resides and what countries it comes from.” Don’t take what you don’t need. “Another practical solution is not to collect the data,” Holcomb says. Of course every company collects some PII from customers and employees. But many have the mindset that the more data they can collect—especially from customers—the better. While that data can be useful for market research, it will make following international data laws much harder. Consider privacy when planning cloud implementations. Buglass notes that cloud providers often move data around among different hosting companies. To address this problem, some are providing EU -only cloud solutions. But that’s not the only option, he says. “If it’s a U.S.-based cloud company, it should be a Safe Harbor adherent, and it should certify that the data won’t go beyond U.S. shores. Yet another option is to bind the cloud vendor with a contract that requires it to treat PII in accordance with the EU directive. But remember that the company that first accepted the data is still legally responsible for what happens to it if the vendor fails to abide by the contract.” Manage international data in a GRC plan. “The same risk tools that help you from being fined for regulatory violations can also help you with the bottom line for reasons unrelated to compliance,” notes Sid Sinha, senior director of governance, risk, and compliance (GRC) product management at Oracle. The same solutions used for compliance with important regulations can also eliminate process errors like finding incorrect or duplicate payments. Oracle GRC applications aid compliance with international privacy laws, as well as U.S., local, and industry regulations and audit requirements. A great time to think about GRC is at the start of a major deployment or upgrade, Sinha adds. “If you’re implementing a new system and defining business processes, that is an ideal opportunity not only to minimize the long-term cost of compliance but to http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
Data Without Borders Page 3 of 3 proactively manage the risk of a global IT project. What we hear from many Oracle GRC customers is that they wish they had started sooner and incorporated GRC before they rolled their new system out.” Indeed, tackling international privacy laws in the context of an enterprise resource planning (ERP) system will make the process as painless as possible, says Michael Baccala, partner, risk assurance services, at PwC. “When I think about using technology to deal with these challenges, an ERP solution such as Oracle’s is much better than trying to do it with a legacy or homegrown system,” Baccala says. “Clients with older or unique systems struggle more, as [those systems] are typically not as well integrated with each other. With an ERP solution such as Oracle’s, you have more-consistent controls and more-global enforcement. And once you understand the legally required process, the technology is there to support it.” Minda Zetlin is coauthor of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006). Subscribe About Oracle Careers Contact Us Site Maps Legal Notices Terms of Use Your Privacy Rights Oracle Mobile http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012

More Related Content

PPTX
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
William LaPorte
 
PDF
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
PPSX
test
William LaPorte
 
PDF
2 7-2013-big data and e-discovery
Exterro
 
PDF
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
PDF
Meeting the challenges of big data
Antoine Vigneron
 
PDF
TITUS Metadata Security for SharePoint - Moray Council Case Study
Clever Consulting
 
PDF
Storage Made Easy solution to fragmented data
Hybrid Cloud
 
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
William LaPorte
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
test
William LaPorte
 
2 7-2013-big data and e-discovery
Exterro
 
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
Meeting the challenges of big data
Antoine Vigneron
 
TITUS Metadata Security for SharePoint - Moray Council Case Study
Clever Consulting
 
Storage Made Easy solution to fragmented data
Hybrid Cloud
 

What's hot (20)

PDF
Data protection guide
petertran
 
PDF
GDPR: Time to Act
Cathy Gilmartin
 
PDF
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
PDF
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
PDF
Microsoft Azure and the EU GDPR
Miguel Mello
 
PPTX
Electronic data & record management
GreenLeafInst
 
PDF
The Effective eDocument Retention Program - Policies, Processes and Solutions
Ledjit
 
PDF
Frukostseminarium om molntjänster
Transcendent Group
 
PPTX
Cloud
alberto0
 
PDF
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Victor Gridnev
 
PDF
Data Protection Magazine
teresadepiano
 
PDF
GDPR and Analytics
brunomase
 
PPTX
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
PPT
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
PDF
Data goverance two_8.2.18 - copy
Sandra (Sandy) Dunn
 
PPTX
GDPR & digital strategy
Prof. Jacques Folon (Ph.D)
 
PDF
Protecting Data Privacy Beyond the Trusted System of Record
Cor Ranzijn
 
PPTX
earlegal #8 - Données à caractère personnel, anonymisation/pseudonymisation ?
Lexing - Belgium
 
PPT
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
PDF
88 privacy breaches (sample book) 15 apr
Straits Interactive
 
Data protection guide
petertran
 
GDPR: Time to Act
Cathy Gilmartin
 
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
Microsoft Azure and the EU GDPR
Miguel Mello
 
Electronic data & record management
GreenLeafInst
 
The Effective eDocument Retention Program - Policies, Processes and Solutions
Ledjit
 
Frukostseminarium om molntjänster
Transcendent Group
 
Cloud
alberto0
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Victor Gridnev
 
Data Protection Magazine
teresadepiano
 
GDPR and Analytics
brunomase
 
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
C:\Fakepath\Cloud Computing Mitigating Risk Fmb 0110
guestd7fc9c
 
Data goverance two_8.2.18 - copy
Sandra (Sandy) Dunn
 
GDPR & digital strategy
Prof. Jacques Folon (Ph.D)
 
Protecting Data Privacy Beyond the Trusted System of Record
Cor Ranzijn
 
earlegal #8 - Données à caractère personnel, anonymisation/pseudonymisation ?
Lexing - Belgium
 
Understanding Minimizing And Mitigating Risk In Cloud Computing
Janine Anthony Bowen, Esq.
 
88 privacy breaches (sample book) 15 apr
Straits Interactive
 
Ad

Similar to Data Without Borders (20)

PDF
Health Data Encryption: The Seven Principals of Privacy
Compliancy Group
 
PDF
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
InSync2011
 
PDF
Prepare For Breaches Like a Pro
Resilient Systems
 
PDF
Integrating Information Protection Into Data Architecture & SDLC
DATAVERSITY
 
PPTX
On Demand Cloud Services Coury
Arman Sadat Hossain
 
PDF
Breached! The First 48
Resilient Systems
 
PPTX
Best Practice For Public Sector Information Security And Compliance
Oracle
 
PDF
Privacy trends 2011
Vladimir Matviychuk
 
PDF
Keeping Information Safe: Privacy and Security Issues
ipspat
 
PDF
OIA administration
techmeonline
 
PDF
How to Secure Your Files with DLP and FAM
Imperva
 
PPT
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Perficient, Inc.
 
PDF
Information builders gartner mdm - barcelona 2-7-2013
Information Builders International
 
PPT
Data breach protection from a DB2 perspective
Craig Mullins
 
PDF
Magazine Feature
dchin25
 
PPTX
Information governance process & technology
GNetadmin
 
PDF
3 guiding priciples to improve data security
Keith Braswell
 
PDF
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
PPT
Building an Effective Identity Management Strategy
NetIQ
 
PDF
Managing Consumer Data Privacy
Gigya
 
Health Data Encryption: The Seven Principals of Privacy
Compliancy Group
 
E-Business Suite 2 _ Ben Davis _ Achieving outstanding optim data management ...
InSync2011
 
Prepare For Breaches Like a Pro
Resilient Systems
 
Integrating Information Protection Into Data Architecture & SDLC
DATAVERSITY
 
On Demand Cloud Services Coury
Arman Sadat Hossain
 
Breached! The First 48
Resilient Systems
 
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Privacy trends 2011
Vladimir Matviychuk
 
Keeping Information Safe: Privacy and Security Issues
ipspat
 
OIA administration
techmeonline
 
How to Secure Your Files with DLP and FAM
Imperva
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Perficient, Inc.
 
Information builders gartner mdm - barcelona 2-7-2013
Information Builders International
 
Data breach protection from a DB2 perspective
Craig Mullins
 
Magazine Feature
dchin25
 
Information governance process & technology
GNetadmin
 
3 guiding priciples to improve data security
Keith Braswell
 
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Building an Effective Identity Management Strategy
NetIQ
 
Managing Consumer Data Privacy
Gigya
 
Ad

More from Nair and Co. (20)

PDF
Sweden Proposes Budget 2014
Nair and Co.
 
PDF
Russia Adopts Amended Tax Code
Nair and Co.
 
PDF
India Enacts Further Sections of the Companies Act, 2013
Nair and Co.
 
PDF
Vietnam Amends Tax, Labour and VAT Regulations
Nair and Co.
 
PDF
India Announces New Corporate Social Responsibility Rules
Nair and Co.
 
PDF
United Kingdom – Budget 2014 Announced
Nair and Co.
 
PDF
Philippines Introduces New Permit for 9(g) Pre-arranged Employment Visa Appli...
Nair and Co.
 
PDF
Argentina Clarifies Income Tax Provisions
Nair and Co.
 
PDF
China Eases Tax Exemption for E-commerce
Nair and Co.
 
PDF
Belgium Introduces Changes to Employment Law Regulations
Nair and Co.
 
PDF
Germany Updates Minimum Salary Qualifications for EU Blue Card Holders
Nair and Co.
 
PDF
Australia Increases Super (Superannuation Guarantee), the Required Employer R...
Nair and Co.
 
PDF
Belgium Changes Withholding Tax Rates
Nair and Co.
 
PDF
Sir Alan Collins to Honour “Magical Team” at The Churchill Club Awards Ceremony
Nair and Co.
 
PDF
Australia Announces Changes to Unfair Dismissal Related Thresholds
Nair and Co.
 
PDF
South Korea Enacts Tax Revision Bill: Update from International Tax Complianc...
Nair and Co.
 
PDF
Australian Federal Court Clarifies that Reasonable Performance Management is ...
Nair and Co.
 
PDF
India Notifies Rules for ‘Voluntary Compliance Encouragement Scheme’: Update ...
Nair and Co.
 
PDF
India passes finance bill for 2013 14- updates from international tax consult...
Nair and Co.
 
PDF
Argentina Introduces New Systems for Recording Overseas Payments: Update from...
Nair and Co.
 
Sweden Proposes Budget 2014
Nair and Co.
 
Russia Adopts Amended Tax Code
Nair and Co.
 
India Enacts Further Sections of the Companies Act, 2013
Nair and Co.
 
Vietnam Amends Tax, Labour and VAT Regulations
Nair and Co.
 
India Announces New Corporate Social Responsibility Rules
Nair and Co.
 
United Kingdom – Budget 2014 Announced
Nair and Co.
 
Philippines Introduces New Permit for 9(g) Pre-arranged Employment Visa Appli...
Nair and Co.
 
Argentina Clarifies Income Tax Provisions
Nair and Co.
 
China Eases Tax Exemption for E-commerce
Nair and Co.
 
Belgium Introduces Changes to Employment Law Regulations
Nair and Co.
 
Germany Updates Minimum Salary Qualifications for EU Blue Card Holders
Nair and Co.
 
Australia Increases Super (Superannuation Guarantee), the Required Employer R...
Nair and Co.
 
Belgium Changes Withholding Tax Rates
Nair and Co.
 
Sir Alan Collins to Honour “Magical Team” at The Churchill Club Awards Ceremony
Nair and Co.
 
Australia Announces Changes to Unfair Dismissal Related Thresholds
Nair and Co.
 
South Korea Enacts Tax Revision Bill: Update from International Tax Complianc...
Nair and Co.
 
Australian Federal Court Clarifies that Reasonable Performance Management is ...
Nair and Co.
 
India Notifies Rules for ‘Voluntary Compliance Encouragement Scheme’: Update ...
Nair and Co.
 
India passes finance bill for 2013 14- updates from international tax consult...
Nair and Co.
 
Argentina Introduces New Systems for Recording Overseas Payments: Update from...
Nair and Co.
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Data Without Borders

  • 1. Data Without Borders Page 1 of 3 ( Sign In/Register for Account | Help ) United States Communities I am a... I want to... Secure Search Products and Services Solutions Downloads Store Support Training Partners About Oracle Technology Network About Profit Magazine Features Profit Magazine For More Information Features Oracle Governance, Risk, and Compliance Solutions Opinion Oracle Master Data Management Solutions Multimedia Gaining Customer Consent Partner News Close Oracle Magazine Archives Profit Magazine Archives Subscribe Write the Editors Data Without Borders With employees and customers in multiple countries, IT Submit an Article managers must answer to a web of privacy laws to keep Advertise international data legal. by Minda Zetlin, February 2012 A company that provides online wellness services landed a contract with a major company with offices in Spain, Germany, and France. It was the kind of sale every executive dreams of. But it came with some very big headaches, too. “Now they’ve got this problem where they have to abide by the privacy regulations in each of these three countries and register with the regulators there,” says Stuart Buglass, director of human capital consulting at Nair & Co., which advises companies on international expansion. The wellness company had walked right into one of the most challenging aspects of international business today: data and privacy laws across international borders. The challenges are considerable. Throughout the world, an evolving mosaic of privacy laws dictate how data must be handled. At issue is personally identifiable information (PII) that can be traced to an individual person (such as name, address, ID number, and job title). Most experts agree that the most-stringent data protection laws are found in the European Union (EU), where the Data Privacy Directive governs all PII use. In general, a company able to deal effectively with the provisions of the EU directive will likely be able to handle privacy laws in other jurisdictions as well. Although the provisions of the Data Privacy Directive hold across the EU, anyone collecting data on European residents must follow the laws of an individual’s country of residency as well—and those laws differ among EU member states. It might seem logical to find the strictest EU privacy laws and comply with those, but the laws are different enough to make that approach impractical. “You can’t have a broad sweep of standards that will satisfy all the different types of legislation,” Buglass says. “You have to actually identify where the data subjects are and which specific legislation applies to them.” Complex Relations One of the EU’s eight “enforceable principles” for privacy protection is that data must not be transferred to countries without adequate legal protection. But that raises the question of what constitutes a data transfer. From a privacy and security standpoint, it makes little difference whether an employee’s name is sent through a network and stored on a server in, say, Russia, or whether a hacker from Russia goes through that same network to view the data while it resides on a server in France. And indeed, the EU defines access to data as a form of transfer, for privacy purposes. While many experts recommend leaving European data in Europe, that strategy is not sufficient to ensure compliance with the law. And it can create unexpected challenges for Americans accustomed to different privacy rules. “Something as innocuous as a personnel directory that can be accessed by company staff outside of Europe can create a problem,” notes Lisa Sotto, head of the privacy and information management practice at Hunton & Williams, a law firm with expertise in intellectual property and international business. To make matters worse, international laws may conflict with each other, especially when it comes to keeping data. In general, European laws require companies to destroy PII as soon as its utility has expired. But in the United States, laws may dictate a different retention period. “If you’ve got a U.S.- based company dealing with data from another country, there may be a conflict,” says Jimma Elliott- Stevens, director of risk assurance services at PwC, a global professional services firm. Meanwhile, the list of nations with strict laws governing the use of PII is growing. In 2011, Costa Rica became the seventh Latin American country to regulate this data. India’s data privacy laws, amended in 2008, are strong enough to draw criticism from U.S. multinationals. But for nations outside the EU, stricter data privacy laws can be good for business. The European Commission has recognized a handful of countries with adequate data privacy protections—among http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
  • 2. Data Without Borders Page 2 of 3 them Canada and Argentina. Data can be transferred to (or accessed from) countries with laws that offer similar protections to the EU directive. E-mail this page Printer View “It’s interesting to note that a lot of countries coming up with robust sets of legislation are those where there’s a lot of offshoring,” Buglass notes. “India’s privacy law is probably even more robust than that in the EU. It isn’t yet a trusted third country, but if India’s government can prove it can actually enforce these rules, it may be soon.” However, the chance of the U.S. gaining the status of a trusted third country are virtually nil. The American approach is to have different regulations apply in different industries (for instance, the healthcare industry is subject to the Health Insurance Portability and Accountability Act, more commonly known as HIPAA) and different states. “I think the U.S. would have to crumble and be rebuilt to change its entire sectoral approach to regulations,” Elliott-Stevens says. “The U.S. cares about data privacy, and we do have strict laws and regulatory bodies in place. But the way we deal with it is to find commonalities and start there. We negotiate and leverage relationships.” Crossing Borders So what are the options for U.S. companies with employees in countries with stricter privacy laws? One way is to keep all personal data within the country or jurisdiction where it is obtained and prevent any access from outside. Another would be to find a way to certify that data transferred outside the jurisdiction will adhere to local legal strictures. (See “Gaining Customer Consent.”) The first of these options may be the right choice for many multinational companies. Privacy laws do not prevent managers from accessing sales and performance data from outside a territory, as long as IT ensures that PII, such as a customer phone number or employee attendance history, isn’t involved. “Maintaining local management of data is the perfect solution,” Buglass says. “If you haven’t got the luxury of doing that, try to limit the data transfers to certain countries. The risk, obviously, is when you can’t keep track of the data—for instance, if you have a cloud server that jumps from country to country to take advantage of available storage.” Some companies are coping with this by setting up EU-only clouds, he adds. For managers who do need to transfer PII among jurisdictions, there are legal frameworks that make this possible. One is the Safe Harbor arrangement, in which U.S. companies certify that they will abide, for example, by the EU directive when handling PII from an EU country. However, since the EU is counting on the U.S. Federal Trade Commission (FTC) to enforce the Safe Harbor provisions, this option is only available to companies regulated by the FTC. Safe Harbor has been in place for more than a decade, and so far roughly 2,000 U.S. companies have signed on. A second, more difficult option is Binding Corporate Rules, a legal framework in which companies certify that they have put in place corporate rules protecting the privacy of PII. Though created as an alternative to Safe Harbor and model contracts (see below), Binding Corporate Rules is a difficult choice, Sotto says, because it requires getting specific approval for your rules from some individual countries. While many EU countries’ data protection authorities will recognize the blessing of another country’s authority, some EU countries will not. “It’s very hard to implement,” she says. A third solution is to use the model contracts provision of the EU privacy directive. In this case, a contract between European and non-European entities requires the non-European entity to protect the privacy of personal data, Sotto says. Since the European subsidiary of a multinational company is nearly always created as a separate legal entity, the two can sign a binding contract that fulfills the data transfer requirements of the EU privacy directive. “For these solutions, you need to understand the relevant data flows within your company,” Sotto says. “What you’re collecting, the use to which you’re putting the data, and who will have access to it. And ultimately, how and when you will dispose of it.” The Role of IT Inevitably, compliance with global data privacy laws falls to IT—but industry best practices can help. Know your data. Having a precise understanding of the data you have is an essential first step, according to Carolyn Holcomb, partner, risk assurance services, at PwC. “Think about every data element that could be used to identify an individual,” she says. “If you put them all together, there are somewhere in the neighborhood of 60 different elements that are common across the different privacy laws. Make a list of all those data points, and then do a data inventory. Find out exactly where the data resides and what countries it comes from.” Don’t take what you don’t need. “Another practical solution is not to collect the data,” Holcomb says. Of course every company collects some PII from customers and employees. But many have the mindset that the more data they can collect—especially from customers—the better. While that data can be useful for market research, it will make following international data laws much harder. Consider privacy when planning cloud implementations. Buglass notes that cloud providers often move data around among different hosting companies. To address this problem, some are providing EU -only cloud solutions. But that’s not the only option, he says. “If it’s a U.S.-based cloud company, it should be a Safe Harbor adherent, and it should certify that the data won’t go beyond U.S. shores. Yet another option is to bind the cloud vendor with a contract that requires it to treat PII in accordance with the EU directive. But remember that the company that first accepted the data is still legally responsible for what happens to it if the vendor fails to abide by the contract.” Manage international data in a GRC plan. “The same risk tools that help you from being fined for regulatory violations can also help you with the bottom line for reasons unrelated to compliance,” notes Sid Sinha, senior director of governance, risk, and compliance (GRC) product management at Oracle. The same solutions used for compliance with important regulations can also eliminate process errors like finding incorrect or duplicate payments. Oracle GRC applications aid compliance with international privacy laws, as well as U.S., local, and industry regulations and audit requirements. A great time to think about GRC is at the start of a major deployment or upgrade, Sinha adds. “If you’re implementing a new system and defining business processes, that is an ideal opportunity not only to minimize the long-term cost of compliance but to http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
  • 3. Data Without Borders Page 3 of 3 proactively manage the risk of a global IT project. What we hear from many Oracle GRC customers is that they wish they had started sooner and incorporated GRC before they rolled their new system out.” Indeed, tackling international privacy laws in the context of an enterprise resource planning (ERP) system will make the process as painless as possible, says Michael Baccala, partner, risk assurance services, at PwC. “When I think about using technology to deal with these challenges, an ERP solution such as Oracle’s is much better than trying to do it with a legacy or homegrown system,” Baccala says. “Clients with older or unique systems struggle more, as [those systems] are typically not as well integrated with each other. With an ERP solution such as Oracle’s, you have more-consistent controls and more-global enforcement. And once you understand the legally required process, the technology is there to support it.” Minda Zetlin is coauthor of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006). Subscribe About Oracle Careers Contact Us Site Maps Legal Notices Terms of Use Your Privacy Rights Oracle Mobile http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012