International data privacy regulations can be complex and ever-changing. The invalidation of the Safe Harbour agreement by the European Court of Justice, and the ongoing negotiations about its replacement, means than many companies are now forced to rethink their approach to information governance, without the certainty of knowing exactly which regulations they will need to comply with.
Classifying information that is subject to data privacy regulations, from information that is not, can be a difficult task, one that requires businesses to implement a sound information governance strategy. When done properly – by classifying content with the right metadata – complying with any change in the shifting regulatory landscape becomes a lot easier. Yet businesses attempting to implement the correct information governance platform can face difficulties. So what do organisations need to consider?
- The whole picture: Looking at just one system, such as emails or file shares, does not work. Organisations must consider all the information entering the enterprise and every touch point where data enters or leaves
- Co-operation: Business stakeholders and the IT department must co-operate on the implementation of the strategy to ensure it addresses new regulations without blocking business productivity
- Prepare to be flexible: Laws and regulations constantly change so organisations must prepare an information governance strategy in which both the policies and the data model itself can be flexible. If the data model is not flexible, businesses may be able to tweak policy but could be faced with the herculean task of reclassifying terabytes of existing data for new regulations
Beyond these considerations, businesses must also take the continued growth of cloud-based services into account when preparing to become compliant with data privacy laws. Choosing a cloud provider is no longer just about functionality, features and price. Data privacy is a key consideration, particularly as widespread adoption of consumer-grade software in the workplace, especially cloud-based services, has exploded over the last couple of years. Employees are using these consumer-grade services – such as Google Drive, Dropbox and Evernote – to boost productivity in the workplace but they can make it very difficult for companies to address data privacy regulations.
When choosing a cloud provider, IT and business professionals should ensure that the company can address data privacy requirements. With the invalidation of the “Safe Harbour” agreement – and the on-going negotiations between US and EU regulators over its replacement – the current regulatory environment in Europe is unclear. For this reason alone, organisations must ensure their cloud provider consistently maintains security procedures and protocols to protect all customer data and ensure compliance with current and future EU data privacy requirements. Many businesses may prefer to use a provider which can offer them a dedicated European data zone, with complete network segregation of all hardware and access levels. Whatever the end decision, a secure, global information management strategy must be a cornerstone of any corporate cloud adoption.
Whatever method businesses choose to solve the issue, action must be taken sooner rather than later. By avoiding the problem or tackling it in many different stages, organisations are opening themselves up to potentially huge penalties and fines. The reality is that most regulations do not require organisations to implement any dramatically new features in order to become compliant. They just require businesses to ensure a comprehensive information governance strategy is in place to monitor data and guarantee compliance with the shifting regulatory landscape.