Safe Harbour: no decision yet, but that shouldn't mean no action yet

Since the scrapping of Safe Harbour businesses have been in limbo when it comes to data transfer with many companies sitting tight until a decision is reached, but, says Michael Hack, that course of action isn't advisable.

Michael Hack, senior vice president of EMEA operations, Ipswitch
Michael Hack, senior vice president of EMEA operations, Ipswitch

While the world waits for a new deal to be struck by the EU and US, what this means for businesses right now has been interpreted in various ways. Officials from the EU, such as Wojciech Wiewiorowski, the Assistant European Data Protection Supervisor (EDPS), Belgium, are keen to stress an agreement is close and will be achieved by the deadline of end of January 2016. 

Others have observed that although the EU and US seem in agreement on 11 of the 13 points, where their opinions diverge cuts right into the heart of the issue: namely, the right of US courts to inspect the data of US companies (regardless of whether it is about EU citizens) and secondly, the right of redress being only applicable to US citizens in the event of a breach.

The picture is further complicated by human rights and privacy organisations based in both the EU and the US. In an open letter to the European Commissioner for Justice, Consumers and Gender Equality and to the US Secretary of Commerce, they have already rejected Safe Harbour II claiming it will not provide “a viable framework for future transfers of personal information”. 

These concerns were raised in an open letter from organisations on both sides of the Atlantic to both the European Commissioner for Justice, Consumers and Gender Equality and to the US Secretary of Commerce.  For these groups to be satisfied, privacy legislation needs to be updated on both sides of the Atlantic.

If, despite the EU's optimism, a deal is not done, the EU's individual country data protection agencies have warned that they will not wait long after the January deadline to begin to take coordinated enforcement actions. In other words, businesses need to be ready for either outcome.

Amidst these competing opinions, businesses would be forgiven for sitting tight until a decision is reached. While understandable, here's why that course of action isn't advisable. 

Unless businesses review the way that they are processing, storing and moving data, it is unlikely that they will be compliant by the time an agreement has been reached. Similarly, the EU's blueprint for data privacy standards, the GDPR, comes into force mid 2016. It is likely to entail a root-and-branch review of personal data handling and will also require significant preparatory legwork before firms can take action and declare themselves compliant.

So what can be done now? Businesses can set themselves up for success by undertaking the work that needs little external input from the legislators. Now is the time to assess the data flows in the organisation, including the use of US cloud-based data-sharing services like Dropbox. The point is not to implement knee-jerk changes now, rather for organisations to understand exactly where they stand and be ready to act when further guidance is issued. Depending on a business's existing data transfer practices, the Safe Harbour decision could require deep-rooted changes and involve many departments within the organisation.

To give an insight into what companies have ahead of them, when we conducted a survey recently into how companies were gearing up for the data protection changes posed by the GDPR, the results revealed British businesses still had a lot to do. Our poll from September 2015 revealed 69 percent of companies believe they'll need to invest in technologies in order to help them process and store the data according to the new standards.  New technologies, new procedures, new training – these all require senior-level buy-in, budget approval and months if not years from conception to rollout.

The last area to tackle now is third parties and partner organisations that access a company's data and will therefore be affected. As well as vouching for data privacy in your own organisation, you will also need to be sure of the data handling procedures of third party partners, like internet, cloud or managed service providers. Service providers should proactively be demonstrating the steps they are taking to achieve compliance. For example, Microsoft's CEO, Satya Nadella, has sought to reassure UK customers in the wake of the Safe Harbour announcement.

Organisations should not underestimate the burden these kinds of legislation can represent. By focusing on the groundwork before the final details of Safe Harbour II are announced, firms can be quick off the mark in implementing and rolling out new procedures and policies. Done properly, the work carried out for Safe Harbour II compliance should stand them in good stead for the wider-ranging data privacy rules coming into force later in 2016.

Contributed by Michael Hack, senior vice president of EMEA operations, Ipswitch

Sign up to our newsletters