This morning, the Privacy Shield rule was approved by the European Union (EU) with a target implementation date of next week. Privacy Shield replaces its predecessor, Safe Harbor, which was retired due to the perception of a lack of adequate data protection for EU citizens in the US. Compliance with Privacy Shield for US companies may require a change in operations.
Some foundational concepts in the pact are information security best practices, including:
- Data localization, which also requires the creation of robust business processes for the access and use of that data
- Compartmentalization of data access and use
- Least privileged access – System user should be afforded the lowest access level that they need to perform their function.
- Role-based security – The creation of standard profiles based on job function, and as individuals enter, change or leave positions, they are given the access capabilities commensurate with their job function.
Other implications of the pact may:
- Require organizations to establish operations in the EU
- Mandate the hiring of local vendors for such things as marketing, selling and servicing
- Require companies to delete data after its been used for its intended purpose
- Require third party service providers servicing companies exposed to Privacy Shield to also meet the requirements of the regulation; The burden of proof will remain with the firm exposed to Privacy Shield, but the burden of performance will remain with the servicer
For more information on this topic, or to learn how Baker Tilly service specialists can help, contact our team.