Restoring trust in transatlantic data flow

Up until very recently, you would be hard pressed to find senior executives discussing the idea of data regulations, data residency, data retention, and data governance, let alone actually doing something to address organisational gaps in these areas.

Much of this changed, arguably for the better, with Edward Snowden and his revelation that European governments were cooperating with the National Security Agency in a global surveillance program.

Since these revelations, talk of privacy and security has moved to the mainstream. Individuals are thinking about how secure their personal data is and organisations are worried about intellectual property being stolen, government requests for data and agreement on more stringent standards relating to how data is stored, exchanged, and protected. On a region-by-region basis, organisations are working to enact data governance plans to meet new regulations and protect against government overreach.

European governments are leading the way in these efforts. We recently saw the failure of the Safe Harbour framework and the creation of the EU-US ‘Privacy Shield’, a framework that is intended to govern transatlantic data flows and protect the rights of individual EU citizens, granting them redress options. Even more recently, the General Data Protection Regulation (GDPR) has been adopted and, while independent from Privacy Shield, GDPR should work in conjunction with Privacy Shield to protect individuals and create a strong framework for corporations that do business in the EU while ensuring data flows freely and unfettered by government agencies.

What’s important to know is that the Privacy Shield is still awaiting approval and the GDPR will not be enforced until 2018. The burden is on organisations to ensure they are compliant in time to continue their business operations in Europe. One of the ways to ensure compliance is with a strong data governance plan for the content produced by your organisation. Here are some key considerations for organisations of all sizes in selecting a content governance solution:

Regulations change over time and all the time

Whether multinational or not, organisations cannot afford to fall behind on current regulations. This requires a two-pronged strategy that involves having great legal counsel that can advise on all laws that apply and associated timelines. If you’re simply meeting with a lawyer every other year, your business is indeed on the path to noncompliance. The second consideration here is to not just sit around and hope your vendor abides. Businesses should always look to technology to help understand and mitigate risk and implement an in-house or cloud smart governance solution across all their vendors that abstract their service and can move content to another compliant one. This should act as a real-time filter allowing IT to monitor all data at all times to understand what may be impacted by regulations and when to take action.

If you’re global – think local

It’s great to look at the regions your company operates in holistically: Where should the data be stored? On premises? In the cloud? In country? In region? What’s the best mix? For which type of content? Once you analyse and classify your data with a clear action plan, you should decide on a local basis the policies that will be applied to each content type. We now do business in an environment where what’s considered compliance in one country may not necessarily be compliance in another or where files with personal information are treated differently than marketing collateral – this should be reflected in your policies across all your content. In order to mitigate your risk on a regional basis think about your providers and the ability to change over time and constantly look for the ones who provide insights and enforce polices on a regional and content type basis.

Choose a vendor that fits your needs

As your businesses evolves, so do vendors. The key is not to become locked-in – be able to move content across providers and always have an option to keep a portion or all of your content on-premises. Indeed worse comes to worse you can always have more control and higher customisation in your data center if not offered yet in the cloud.

Kris Lahiri, Chief Security Officer, Egnyte