SlideShare a Scribd company logo

Data_Privacy_Protection_brochure_UK

Sally Hunt
Sally Hunt

This document discusses data privacy and protection. It provides insights from internal and external experts on this topic. It addresses issues like how new European guidelines will affect information managers and what IT teams need to know about data retention. Specific topics covered include the safe harbour ruling between European and US data privacy laws, defining personal data and retention policies, and how new data privacy laws impact records managers and what IT needs to know.

1 of 12
Download to read offline
DATA PRIVACY AND PROTECTION 5 Insights from the Experts
Data privacy and protectionis a hot topic at the moment—and why wouldn’t it be? With major data breaches in the news nearly every day, the privacy of personal and business information is on the minds of companies across the globe. This eBook gathers data privacy and protection insights from internal Iron Mountain experts, along with external experts on the subject. It addresses a wide range of issues, from what information managers should learn from new European guidelines, to what your IT team needs to know about retention. CONCLUSION  12  › SAFE HARBOUR  3  › Safe Harbour Ruling Highlights Discrepancies Between European and U.S. Data Privacy Laws PERSONAL DATA  5  › Personal Data is Not a Commodity DATA PRIVACY LAWS  7  › How Do New Data Privacy Laws Affect Records Managers? 5 THINGS IT NEEDS TO KNOW  8  › 5 Things Your IT Team Needs to Know about Data Privacy DEFINING RETENTION POLICIES  10  › 5 Steps To Defining Your Retention Policies 2
SAFE HARBOUR RULING HIGHLIGHTS DISCREPANCIES BETWEEN EUROPEAN AND U.S. DATA PRIVACY LAWS In early October 2015, a key agreement that allows the transfer of European residents’ personal data from the European Economic Area (EEA) to the U.S. called ‘Safe Harbour’ was deemed invalid by Europe’s top court. The European Court of Justice (ECJ) made the landmark ruling on the agreement which has been in place since 2000. The court concluded that the agreement did not provide adequate protection for personal data in the context of access by intelligence agencies, an issue brought to light by former National Security Agency (NSA) contractor Edward Snowden, and Austrian student Max Schrems, who filed a complaint against Facebook to the Irish data protec­ tion authority after Snowden’s publications in 2013. What Happens Now? Companies need to find another mechanism to legally “export” (or grant access to) personal data outside the EEA. The various options are discussed below. In addition, the ECJ confirmed that national data protection authorities have the authority to examine whether transfers of personal data to a third country meet the requirements of the EU data protection legislation. Different countries and organisations have had a wide range of reactions to the ruling. Some data protection authorities (DPAs) have suggested a ban on most U.S. transfers, others have reached out to companies that have relied on the Safe Harbour, reminding them to implement a compliant solution, while the UK is telling its businesses not to panic. The so-called Article 29 working party (which rep­ resents all EU data protection authorities) set a deadline of the end of January 2016 to implement a compliant alternative to Safe Harbour. While work on ‘Safe Harbour 2’ continues, most DPAs have stated that transfers to the U.S. should be treated in the same way as transfers to most other major economies outside of the EEA, and legitimised using one of the other transfer options available. There are four major options for Safe Harbour moving forward. OPTION 1: Option one is, as mentioned above, a second version of Safe Harbour. The parties hope to reach a new agreement in early 2016, but it is not certain that an agreement can be reached before the end of January. Michael Zurcher Julian Cunningham-Day MICHAEL ZURCHER | Iron Mountain JULIAN CUNNINGHAM-DAY | Linklaters LLP 3SAFE HARBOUR RULING HIGHLIGHTS
Worst Case Scenario? If no workable solution is found, data storage solu­ tions may have to be rethought. It may be easier to house and grant access to European data in Europe only. This solution is possible, but would involve significant structural change for many organi­ sations. EU regulators seem keen to encourage a better outcome. 4 OPTION 2: Option two is adopting Binding Corporate Rules (BCRs). BCRs are an intra-group framework with different elements (legally binding commitments, policies, training, audit, etc.) that guarantees that European personal data will be adequately protected within the group. Implementing BRCs is a heavy­weight process, taking 12—18 months to gain approvals from DPAs. It is also intra-group only and it is not clear how it would limit access by U.S. intelligence agencies. Implementing BRCs is a heavyweight process, taking 12—18 months to gain approvals from DPAs. OPTION 3: Option three focuses on Model Contracts. This is an option that is already widely adopted by businesses operating in the EEA, and likely to be the most com­ mon alternative selection to Safe Harbour. It involves entering into bilateral arrangements that can be used with affiliates, 3rd party vendors or others with which companies want to share data. Potential issues include the fact that this solution also doesn’t pre­ vent access by intelligence agencies and in some countries additional complications arise from admin­ istrative formalities (submissions of the model clauses and translated and notarised documentation relating to the signing authority of the officers executing the clauses). In addition, under this ruling, DPAs would be able to suspend their approval for the use of Model Contracts. OPTION 4: Option four is really a partial solution focusing on individual derogations (consent, contractual neces­ sity, etc.). The issues with this solution include: difficulties in obtaining valid consent from affected individuals and the fact that other derogations (e.g., processing necessary for a contract with an individ­ ual) only operate on a case-by-case basis. Safe Harbour: Take Home We are currently in a grace period as the EU and US authorities try to negotiate an alterna­ tive form of Safe Harbour (until end of January 2016), though this could be extended. Use the remaining time to select an option that works for your organisation. Like most multinational companies, Iron Mountain has selected Option 3 and executed Model Contracts. What Does this Mean for Records Managers? Records managers must ask the following questions: • To what extent does my organisation rely on third party vendors in the U.S. for EU records/ data processing? • On what basis does my organisation export its data to such U.S. based vendors? • Do any of our EU vendors subcontract work to the U.S.? • On what basis do these EU vendors export their data to such U.S. based subcontractors? • Do we have contracting arrangements in place to ensure compliance works all the way down the supply chain? • Have I notified our procurement and compliance partners about potential vendor issues/changes? SAFE HARBOUR RULING HIGHLIGHTS
The four year battle over the wording of the European Union’s new Data Protection Regulation was largely finished in December 2015, meaning it is time to move on from the rhetoric of the opposing camps to planning for implementation. Personal Data: the Lifeblood of Modern Life Business wants one legal regime for personal data across Europe. But the final agreed document is at an uncomfortably high level for many companies. Last month, Paul Nemitz, Director, Fundamental Rights and Union Citizenship at the European Com­ mission, gave a rare commendation to a specific company for its privacy practices. He declared: “Personal data is not a commodity. It is the life blood of modern life in the 21st century. In European history and culture, a person is not an object… Personal data is like the stock market. If there is lack of confidence, then the value of a company goes down. Apple is strong on data and encryption, and is the world’s highest value company on the stock market.” He wanted to show that respect for personal data is compatible with commercial success. For anyone not wanting to struggle through the 209 page document, here are a few of the Regulation’s most important strategic points for your organisation: People worry about what is happening with their personal data. This can lead to distrust for businesses and the government which holds and processes this data. In the US, data breaches have been the main focus of attention for companies and individuals driven by state legislation starting with California. But the emphasis in Europe is rights for individuals and resulting heavyweight legal duties for companies. Unambiguous Consent for the Collection of Personal Data Longstanding rights of access and correction are now greatly expanded to include “unambiguous con­ sent” for use of a person’s data and a right of data portability. This means that, for example, indi­viduals will be entitled to transfer their mobile device records from one supplier to get a quote from another. Facebook was fined 250,000 euros a day for violating Belgium privacy laws. The Belgian court ruled that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons. Whereas people with Facebook accounts are more likely to understand this process, visitors to Facebook who do not have an account are unlikely to understand the 5 PERSONAL DATA IS NOT A COMMODITY STEWART DRESNER | privacylaws.com PERSONAL DATA IS NOT A COMMODITY
6 PERSONAL DATA IS NOT A COMMODITY implications of their visit. The privacy policy relevant to them is on page 10 of a 10 page policy and even clicking on a Facebook “like” button or choosing a language option is considered an opt-in according to Facebook’s procedure. This case is a preview of what can be expected when the EU Data Protection Regulation enters into force in 2018. The Data Protection Authorities will expect a company, such as Facebook, which has not gained “unambiguous consent” for use of a person’s data, to comply with such orders in all territories of the EU as a means of aiming for consistency with the requirements of the EU Data Protection Regulation. The General Data Protection Regulation goes into effect in 2018. More attention has been given to the Court of Justice of the European Union. Last October, it was determined in the Schrems case that the US-EU Safe Harbour to be no longer valid as a legal basis for transferring personal data from the European Eco­nomic Area to the US. As a special deal for the US based on self-regulation, some commentators regarded the Safe Harbour as “neither safe nor a harbour.” As a result, many multinational companies, such as Salesforce, have quickly turned to legal alternatives, EU model contracts and Binding Corporate Rules. European storage and cloud services increasingly attractive Seeing the direction of travel of the EU Data Protec­ tion Regulation negotiations, many companies are shifting their processing and storage of customer and employee data to a country in the European Union. This move will give compa­nies more certainty about a secure legal basis for their processing of personal data. This is a substantial commercial opportunity for cloud services that give customers an opportunity to specify the country in which they want to base their service. In the same way, some traditionally US-based cloud services now offer EU-based options. Microsoft is even running a long legal battle in the New York courts denying that US law applies to these EU-based services. An EU-based archiving service is in some respects more attractive than one based in the U.S.
7 Data privacy laws are in the news a lot lately. The proliferation of data and the growing number of data hacks has put data privacy in the spotlight, with many organisations left wondering where they should go next with their current data privacy, protection and compliance plans. The following is information intended for records and information managers, who may be one of the least-addressed groups when it comes to this issue. Ensure you have a voice in your organisation. New data protection laws will directly affect the way you do business, and it’s imperative that your legal department or external law firm is complemented by your knowledge on day-to-day records management process. The general tendency for organisations is to dump all legal matters on external lawyers, but these lawyers won’t be looking at your business’ opera­tional needs from an information governance per­spective. The information governance stakeholder group should have privacy as part of its remit and the records manager should be a key player in that group. Take a pragmatic approach. Make sure to connect and get the input of individuals at your company who understand business operations and strategy. The information governance stake­ holders that adopt privacy issues will be able to position solutions in a broader context that align to those strategic and operational needs. Don’t forget about paper. Paper and data privacy: you may be wondering exactly where I’m going with this. Most people talking about data protection aren’t focusing on physical assets; they’re focusing on digital data because of the high profile cyber-attacks happening nearly every week. However, paper is important in the data privacy conversation precisely because it’s now so easy to ignore. This raises potential threats surrounding your records falling into the wrong hands. Though organi­ sations are reducing their reliance on paper, nearly every organisation still uses it in some format. This disposable medium is posing an unseen risk. It’s all this blog would have been about 15 years ago, and we can’t forget about it now. That’s why secure informa­ tion destruction is so important. Paper also poses a risk in that it can be quite difficult to find once misplaced. If you don’t have the indexing and digitising plans in place to keep your information well-organised, you may find yourself in hot water when a disclosure or subject access request is sub­ mitted. For the eighth consecutive year, the average cost per lost or stolen record has risen. The figure rose from €122 in 2014 to €133 per record in 2015, according to Information Security Buzz. The longer paper sits without any plan, the bigger risk it becomes. After all, sometimes you don’t know what you’re missing until you need it. Lost or stolen records cost €133 per record in 2015, according to Information Security Buzz. Encourage information responsibility. Getting control of your paper is just as important as protecting your digital data. And it’s your job as a record manager to make paper an equal priority. HOW DO NEW DATA PRIVACY LAWS AFFECT RECORDS MANAGERS? GAVIN SIGGERS | Iron Mountain NEW DATA PRIVACY LAWS
8 With the onset of new data privacy laws being put in place across Europe, it can be tempting as an IT manager to let it all go over your head. After all, what does that litigation have to do with you and your company? In short, a lot. Here are some sugges­ tions for improving your IT department’s focus on data privacy. 1. Fully understand the greater business and its functions. If you don’t understand your business units, you’ll never truly understand what data they need to keep, why they’re keeping it and for how long it must be kept. To reach this goal, work on the ability to communicate what the impacts are of keeping that data in terms of time, money and risk. The more you know about the business functions, the more you can influence the mindset of the C-suite and your business partners—and keep control of your data so it doesn’t control you. 2. Recognise the retention policies for your company and industry. Understanding what your organisation requires in terms of compli­ance is of the utmost importance. Keep in mind statutes of limitation, general contracts and other legal concerns. Tech firms will have to report serious data breaches to regulators within 72 hours. 3. Keep Your Eye on the Law. It’s vital to stay on top of current and upcoming legislation for your industry in particular and for organisa­ tions in general. The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information. This represents the biggest shake-up to privacy regulations in 20 years, according to experts. Under this new litigation (which comes into force in 2018), companies could face could face fines of up to 4% of their global annual turnover during the e-Discovery process. Here are a few other ways this litigation will change the way organisa­tions approach data privacy: 5 THINGS YOUR IT TEAM NEEDS TO KNOW ABOUT DATA PRIVACY JOHN WOOLLEY | Iron Mountain Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history. Example: a user could request to have his or her Twitter profile removed. Consumers have the right to transfer their data from one company to another. Example: A con­sumer could request that all of his or her data related to an online shopping purchase be sent to him so that his personal prefer­ ences can be used by a new preferred retailer. 5 THINGS YOUR IT TEAM NEEDS TO KNOW
95 THINGS YOUR IT TEAM NEEDS TO KNOW Companies that handle significant amounts of data will have to employ a data protection officer. Stewart Room, head of data privacy at PwC, explains: “The scale and breadth of the EU’s changes to privacy rules will deliver unprece­ dented challenges for business and every entity that holds of uses European personal data both inside and outside the EU” — BBC 4. Reconsider what information needs to be kept and how. Some information needs to be kept online, while other information can be archived for long-term storage. Keep a redacted, easily accessible copy online with enough to affirm business requirements, while also reducing the exposure to customers/employees. This will ensure that you aren’t as heavily affected in a breach (and that your customers and employees are protected). This about how this is traded off against latency of recovery for a fully pop­ ulated offline copy. If you’re worried about managing the archival information located on tapes because you don’t have the resources internally and/or want to focus on core business, consider partner­ing with a vendor that can provide a managed tape service. 5. Keep Employees and Customers Top of Mind. Know how much personal information your organisation is keeping on its employees and customers and the existing practices around this data. Build up your organisation’s passwords and firewalls, and educate both groups about following data privacy best prac­ tices. You’ll also want to reach out to senior leadership to get them on board with your data privacy policy and keep them in the know.
10 I have a strong opinion around why organisations continue to store so much unstructured data. Many IT professionals simply do not have the time to wade through best practises for retention, nor are they given a solid steer by the business itself—unless there has been significant investment in a compliance team. Danger arises when a lack of policies means a default decision to keep all data forever. In this case, storage and backup solutions become a major financial burden to an organisation. How do you begin to define your retention policies? Follow these five steps: 1. Establish global baseline retention policies. Begin by establishing a baseline (or minimum) retention. If you are a multi- national, you’ll need to understand potential worldwide applicability for certain types of records. Your policy should provide flexibility for different countries to exercise their discre­ tion to lengthen or extend these baseline retention periods, based on valid legal or business needs. 2. Access accounting and tax records. Governments impose a legal requirement to protect their ability to collect taxes. To do this, they must have access to accounting records to scrutinise during tax audits. Because of this, accounting and tax records are the biggest target for records retention. Virtually every country has enacted laws that mandate the retention of ledgers, journals and other books of account, as well as additional supporting documentation such as vouchers, balance sheets, records of goods bought and sold and inventories of stock. These retention require­ments are found in the commercial codes of country laws and/or in the tax codes. Typically the retention period is five to 10 years; however, this is not applicable to all systems and data that pertains to accounting records, structured or not. Finally, bear in mind that I’ve still to date to meet an accounts department who will delete data from a financial system. This is important to remember when dealing with archives derived from backup. 3. Understand the impact of general/ corporate legal documents. After accounting records, general corporate/legal documents are the most frequent target for retention laws. Requirements for these documents typically appear in the business corporation laws or com­mercial codes of the countries in which 5 STEPS TO DEFINING YOUR RETENTION POLICIES JOHN WOOLLEY | Iron Mountain P OLICY TAX REC ORDS DOCUMEN TS LIMIT ATIONS FUNCTION 5 STEPS TO DEFINING YOUR RETENTION POLICIES
11 organisa­tions operate, and they usually apply to all businesses domiciled within the country, including units of foreign-owned, multinational corporations. Although they vary in coverage and specificity, these laws typically mandate the retention of records such as minute books, articles of incorpo­ration, shareholder registers, financial statements, deeds and other documents serving as evidence of the legal status and ownership of the business. Some countries have specific laws about record retention, while others have more general laws. The retention periods range from three years to permanent; 10 years is the average. The average retention period is 10 years. The intent here is to ensure the preservation of records of closed businesses through the period of receivership and payment of creditors or other legal distribution of assets. 4. Follow statutes of limitations. Statutes of limitations — or periods of prescription, as they are called in civil law countries — are a major factor in establishing retention periods for business records. These laws are not require­ ments to retain records; they simply specify how long parties can sue or be sued concern­ ing a certain matter. Multinational companies have a major interest in retaining such records, as they may be needed to institute legal proceedings against other parties or to defend themselves against unwarranted claims brought by other parties. These records may define and limit risk and liability in terms of retention. The following matters are most relevant to records retention: General contracts: Retention requirements range from one year from discovery of breach in China to an average of six years from the last date on which action took place in the United Kingdom. Taxation: Retention requirements range from an average of five years in Brazil and Germany to 0 years, in cases where taxpayers fail to file a return or file a false return for purposes of evad­ing taxes in Thailand. Product liability: Retention requirements range from 3 years from the plaintiff ’s aware­ness of damage in Finland to 30 years in cases where product defects have been fraudulently concealed by the seller in Germany. Personal injury: Retention requirements range from 3 years from the date on which the cause of action occurred in Ireland to as much as 20 years following the event that caused the damage in the Netherlands. Once the relevant laws have been discovered, multi­national records managers should work with their legal counsel to incorporate them into retention policies of global coverage. 5 STEPS TO DEFINING YOUR RETENTION POLICIES
5. Incorporate Business Function Scoping. Once the baseline has been established along with consideration for legal protection, you can then delve into the rest of the business units. Further, the legal research should be defined by business functions. These include: • Environmental management/Facility and property management • Human resources • Employee health and safety • Insurance/risk management • Intellectual property (patents, copyrights, and trademarks) • Manufacturing • Payroll/compensation, salary and wage administration • Property/land management, Purchasing/ procurement • Quality control/assurance • Regulatory affairs • Research and development • Sales/marketing • Security • Shareholder relations Once you have your retentions in place, consider a robust automated policy for deletion of data if online or archived, unless you have a vendor like Iron Mountain managing the lifecycle for you. Consider the impacts if you had the right retention policies in place, the correct tools to move data, the ability to provide search functions and the best possible cost medium on which to store your data. What would that do to alleviate the continuous issues of storage, backup and disaster recovery? BUSINESS UNITS/FUNCTIONS UK-DM-EXT-EBOOK-032116-001 08445 60 70 80 | ironmountain.co.uk ABOUT IRON MOUNTAIN. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Web site at www.ironmountain.co.uk for more information. ©2016 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks and registered trademarks are property of their respective owners. Visit our data privacy protection zone ironmountain.co.uk/data-privacy For more information….

Recommended

Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Dr. Donald Macfarlane
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
Gabrielė Songin
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04
Jan Dhont
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square Ventures
Rob Blamires
 

Recommended

Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Dr. Donald Macfarlane
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
Kate Chan
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
Gabrielė Songin
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04
Jan Dhont
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
EU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square VenturesEU Privacy for US Businesses - Presentation to Union Square Ventures
EU Privacy for US Businesses - Presentation to Union Square Ventures
Rob Blamires
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guide
Angad Dayal
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Amministratore Bluefactor
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Amministratore Bluefactor
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
"John "Jeb"" Beckwith
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
Brian Miller, Solicitor
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Dr. Oliver Massmann
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India
SadanandGahivare
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
VILT
 
30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)
Adriana Sanford
 
Legal Implications of a Mobile Enterprise
Legal Implications of a Mobile EnterpriseLegal Implications of a Mobile Enterprise
Legal Implications of a Mobile Enterprise
Hawley Troxell
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB
 

More Related Content

What's hot

GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guide
Angad Dayal
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Amministratore Bluefactor
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Amministratore Bluefactor
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
"John "Jeb"" Beckwith
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
Brian Miller, Solicitor
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Dr. Oliver Massmann
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India
SadanandGahivare
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
VILT
 
30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)
Adriana Sanford
 
Legal Implications of a Mobile Enterprise
Legal Implications of a Mobile EnterpriseLegal Implications of a Mobile Enterprise
Legal Implications of a Mobile Enterprise
Hawley Troxell
 

What's hot (20)

GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guide
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
Lawyer in Vietnam Dr. Oliver Massmann COMPLIANCE and CLEAR CONSENT - New EU G...
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
 
Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India Data Privacy Protection & Advisory - EY India
Data Privacy Protection & Advisory - EY India
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)30-31 BB Nov_Dec14 (3)
30-31 BB Nov_Dec14 (3)
 
Legal Implications of a Mobile Enterprise
Legal Implications of a Mobile EnterpriseLegal Implications of a Mobile Enterprise
Legal Implications of a Mobile Enterprise
 

Similar to Data_Privacy_Protection_brochure_UK

[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16
Agustin Argelich Casals
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
Steven Salter
 
GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016
Saira Nayak, JD, CIPP/US/E
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
Rockwell Bower, Esq., CIPP(US), CIPM
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
Erica Walker
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
Gigya
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
Veritas Technologies LLC
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
todd581
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
glendar3
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Keith Purves
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
jeanettehully
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 

Similar to Data_Privacy_Protection_brochure_UK (20)

[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
Privacy Year In Preview
Privacy Year In PreviewPrivacy Year In Preview
Privacy Year In Preview
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docxRunning Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
Running Head PRIVACY AND CYBERSECURITY1PRIVACY AND CYBERSECU.docx
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
 
Data protection
Data protectionData protection
Data protection
 

Data_Privacy_Protection_brochure_UK

  • 1. DATA PRIVACY AND PROTECTION 5 Insights from the Experts
  • 2. Data privacy and protectionis a hot topic at the moment—and why wouldn’t it be? With major data breaches in the news nearly every day, the privacy of personal and business information is on the minds of companies across the globe. This eBook gathers data privacy and protection insights from internal Iron Mountain experts, along with external experts on the subject. It addresses a wide range of issues, from what information managers should learn from new European guidelines, to what your IT team needs to know about retention. CONCLUSION  12  › SAFE HARBOUR  3  › Safe Harbour Ruling Highlights Discrepancies Between European and U.S. Data Privacy Laws PERSONAL DATA  5  › Personal Data is Not a Commodity DATA PRIVACY LAWS  7  › How Do New Data Privacy Laws Affect Records Managers? 5 THINGS IT NEEDS TO KNOW  8  › 5 Things Your IT Team Needs to Know about Data Privacy DEFINING RETENTION POLICIES  10  › 5 Steps To Defining Your Retention Policies 2
  • 3. SAFE HARBOUR RULING HIGHLIGHTS DISCREPANCIES BETWEEN EUROPEAN AND U.S. DATA PRIVACY LAWS In early October 2015, a key agreement that allows the transfer of European residents’ personal data from the European Economic Area (EEA) to the U.S. called ‘Safe Harbour’ was deemed invalid by Europe’s top court. The European Court of Justice (ECJ) made the landmark ruling on the agreement which has been in place since 2000. The court concluded that the agreement did not provide adequate protection for personal data in the context of access by intelligence agencies, an issue brought to light by former National Security Agency (NSA) contractor Edward Snowden, and Austrian student Max Schrems, who filed a complaint against Facebook to the Irish data protec­ tion authority after Snowden’s publications in 2013. What Happens Now? Companies need to find another mechanism to legally “export” (or grant access to) personal data outside the EEA. The various options are discussed below. In addition, the ECJ confirmed that national data protection authorities have the authority to examine whether transfers of personal data to a third country meet the requirements of the EU data protection legislation. Different countries and organisations have had a wide range of reactions to the ruling. Some data protection authorities (DPAs) have suggested a ban on most U.S. transfers, others have reached out to companies that have relied on the Safe Harbour, reminding them to implement a compliant solution, while the UK is telling its businesses not to panic. The so-called Article 29 working party (which rep­ resents all EU data protection authorities) set a deadline of the end of January 2016 to implement a compliant alternative to Safe Harbour. While work on ‘Safe Harbour 2’ continues, most DPAs have stated that transfers to the U.S. should be treated in the same way as transfers to most other major economies outside of the EEA, and legitimised using one of the other transfer options available. There are four major options for Safe Harbour moving forward. OPTION 1: Option one is, as mentioned above, a second version of Safe Harbour. The parties hope to reach a new agreement in early 2016, but it is not certain that an agreement can be reached before the end of January. Michael Zurcher Julian Cunningham-Day MICHAEL ZURCHER | Iron Mountain JULIAN CUNNINGHAM-DAY | Linklaters LLP 3SAFE HARBOUR RULING HIGHLIGHTS
  • 4. Worst Case Scenario? If no workable solution is found, data storage solu­ tions may have to be rethought. It may be easier to house and grant access to European data in Europe only. This solution is possible, but would involve significant structural change for many organi­ sations. EU regulators seem keen to encourage a better outcome. 4 OPTION 2: Option two is adopting Binding Corporate Rules (BCRs). BCRs are an intra-group framework with different elements (legally binding commitments, policies, training, audit, etc.) that guarantees that European personal data will be adequately protected within the group. Implementing BRCs is a heavy­weight process, taking 12—18 months to gain approvals from DPAs. It is also intra-group only and it is not clear how it would limit access by U.S. intelligence agencies. Implementing BRCs is a heavyweight process, taking 12—18 months to gain approvals from DPAs. OPTION 3: Option three focuses on Model Contracts. This is an option that is already widely adopted by businesses operating in the EEA, and likely to be the most com­ mon alternative selection to Safe Harbour. It involves entering into bilateral arrangements that can be used with affiliates, 3rd party vendors or others with which companies want to share data. Potential issues include the fact that this solution also doesn’t pre­ vent access by intelligence agencies and in some countries additional complications arise from admin­ istrative formalities (submissions of the model clauses and translated and notarised documentation relating to the signing authority of the officers executing the clauses). In addition, under this ruling, DPAs would be able to suspend their approval for the use of Model Contracts. OPTION 4: Option four is really a partial solution focusing on individual derogations (consent, contractual neces­ sity, etc.). The issues with this solution include: difficulties in obtaining valid consent from affected individuals and the fact that other derogations (e.g., processing necessary for a contract with an individ­ ual) only operate on a case-by-case basis. Safe Harbour: Take Home We are currently in a grace period as the EU and US authorities try to negotiate an alterna­ tive form of Safe Harbour (until end of January 2016), though this could be extended. Use the remaining time to select an option that works for your organisation. Like most multinational companies, Iron Mountain has selected Option 3 and executed Model Contracts. What Does this Mean for Records Managers? Records managers must ask the following questions: • To what extent does my organisation rely on third party vendors in the U.S. for EU records/ data processing? • On what basis does my organisation export its data to such U.S. based vendors? • Do any of our EU vendors subcontract work to the U.S.? • On what basis do these EU vendors export their data to such U.S. based subcontractors? • Do we have contracting arrangements in place to ensure compliance works all the way down the supply chain? • Have I notified our procurement and compliance partners about potential vendor issues/changes? SAFE HARBOUR RULING HIGHLIGHTS
  • 5. The four year battle over the wording of the European Union’s new Data Protection Regulation was largely finished in December 2015, meaning it is time to move on from the rhetoric of the opposing camps to planning for implementation. Personal Data: the Lifeblood of Modern Life Business wants one legal regime for personal data across Europe. But the final agreed document is at an uncomfortably high level for many companies. Last month, Paul Nemitz, Director, Fundamental Rights and Union Citizenship at the European Com­ mission, gave a rare commendation to a specific company for its privacy practices. He declared: “Personal data is not a commodity. It is the life blood of modern life in the 21st century. In European history and culture, a person is not an object… Personal data is like the stock market. If there is lack of confidence, then the value of a company goes down. Apple is strong on data and encryption, and is the world’s highest value company on the stock market.” He wanted to show that respect for personal data is compatible with commercial success. For anyone not wanting to struggle through the 209 page document, here are a few of the Regulation’s most important strategic points for your organisation: People worry about what is happening with their personal data. This can lead to distrust for businesses and the government which holds and processes this data. In the US, data breaches have been the main focus of attention for companies and individuals driven by state legislation starting with California. But the emphasis in Europe is rights for individuals and resulting heavyweight legal duties for companies. Unambiguous Consent for the Collection of Personal Data Longstanding rights of access and correction are now greatly expanded to include “unambiguous con­ sent” for use of a person’s data and a right of data portability. This means that, for example, indi­viduals will be entitled to transfer their mobile device records from one supplier to get a quote from another. Facebook was fined 250,000 euros a day for violating Belgium privacy laws. The Belgian court ruled that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons. Whereas people with Facebook accounts are more likely to understand this process, visitors to Facebook who do not have an account are unlikely to understand the 5 PERSONAL DATA IS NOT A COMMODITY STEWART DRESNER | privacylaws.com PERSONAL DATA IS NOT A COMMODITY
  • 6. 6 PERSONAL DATA IS NOT A COMMODITY implications of their visit. The privacy policy relevant to them is on page 10 of a 10 page policy and even clicking on a Facebook “like” button or choosing a language option is considered an opt-in according to Facebook’s procedure. This case is a preview of what can be expected when the EU Data Protection Regulation enters into force in 2018. The Data Protection Authorities will expect a company, such as Facebook, which has not gained “unambiguous consent” for use of a person’s data, to comply with such orders in all territories of the EU as a means of aiming for consistency with the requirements of the EU Data Protection Regulation. The General Data Protection Regulation goes into effect in 2018. More attention has been given to the Court of Justice of the European Union. Last October, it was determined in the Schrems case that the US-EU Safe Harbour to be no longer valid as a legal basis for transferring personal data from the European Eco­nomic Area to the US. As a special deal for the US based on self-regulation, some commentators regarded the Safe Harbour as “neither safe nor a harbour.” As a result, many multinational companies, such as Salesforce, have quickly turned to legal alternatives, EU model contracts and Binding Corporate Rules. European storage and cloud services increasingly attractive Seeing the direction of travel of the EU Data Protec­ tion Regulation negotiations, many companies are shifting their processing and storage of customer and employee data to a country in the European Union. This move will give compa­nies more certainty about a secure legal basis for their processing of personal data. This is a substantial commercial opportunity for cloud services that give customers an opportunity to specify the country in which they want to base their service. In the same way, some traditionally US-based cloud services now offer EU-based options. Microsoft is even running a long legal battle in the New York courts denying that US law applies to these EU-based services. An EU-based archiving service is in some respects more attractive than one based in the U.S.
  • 7. 7 Data privacy laws are in the news a lot lately. The proliferation of data and the growing number of data hacks has put data privacy in the spotlight, with many organisations left wondering where they should go next with their current data privacy, protection and compliance plans. The following is information intended for records and information managers, who may be one of the least-addressed groups when it comes to this issue. Ensure you have a voice in your organisation. New data protection laws will directly affect the way you do business, and it’s imperative that your legal department or external law firm is complemented by your knowledge on day-to-day records management process. The general tendency for organisations is to dump all legal matters on external lawyers, but these lawyers won’t be looking at your business’ opera­tional needs from an information governance per­spective. The information governance stakeholder group should have privacy as part of its remit and the records manager should be a key player in that group. Take a pragmatic approach. Make sure to connect and get the input of individuals at your company who understand business operations and strategy. The information governance stake­ holders that adopt privacy issues will be able to position solutions in a broader context that align to those strategic and operational needs. Don’t forget about paper. Paper and data privacy: you may be wondering exactly where I’m going with this. Most people talking about data protection aren’t focusing on physical assets; they’re focusing on digital data because of the high profile cyber-attacks happening nearly every week. However, paper is important in the data privacy conversation precisely because it’s now so easy to ignore. This raises potential threats surrounding your records falling into the wrong hands. Though organi­ sations are reducing their reliance on paper, nearly every organisation still uses it in some format. This disposable medium is posing an unseen risk. It’s all this blog would have been about 15 years ago, and we can’t forget about it now. That’s why secure informa­ tion destruction is so important. Paper also poses a risk in that it can be quite difficult to find once misplaced. If you don’t have the indexing and digitising plans in place to keep your information well-organised, you may find yourself in hot water when a disclosure or subject access request is sub­ mitted. For the eighth consecutive year, the average cost per lost or stolen record has risen. The figure rose from €122 in 2014 to €133 per record in 2015, according to Information Security Buzz. The longer paper sits without any plan, the bigger risk it becomes. After all, sometimes you don’t know what you’re missing until you need it. Lost or stolen records cost €133 per record in 2015, according to Information Security Buzz. Encourage information responsibility. Getting control of your paper is just as important as protecting your digital data. And it’s your job as a record manager to make paper an equal priority. HOW DO NEW DATA PRIVACY LAWS AFFECT RECORDS MANAGERS? GAVIN SIGGERS | Iron Mountain NEW DATA PRIVACY LAWS
  • 8. 8 With the onset of new data privacy laws being put in place across Europe, it can be tempting as an IT manager to let it all go over your head. After all, what does that litigation have to do with you and your company? In short, a lot. Here are some sugges­ tions for improving your IT department’s focus on data privacy. 1. Fully understand the greater business and its functions. If you don’t understand your business units, you’ll never truly understand what data they need to keep, why they’re keeping it and for how long it must be kept. To reach this goal, work on the ability to communicate what the impacts are of keeping that data in terms of time, money and risk. The more you know about the business functions, the more you can influence the mindset of the C-suite and your business partners—and keep control of your data so it doesn’t control you. 2. Recognise the retention policies for your company and industry. Understanding what your organisation requires in terms of compli­ance is of the utmost importance. Keep in mind statutes of limitation, general contracts and other legal concerns. Tech firms will have to report serious data breaches to regulators within 72 hours. 3. Keep Your Eye on the Law. It’s vital to stay on top of current and upcoming legislation for your industry in particular and for organisa­ tions in general. The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information. This represents the biggest shake-up to privacy regulations in 20 years, according to experts. Under this new litigation (which comes into force in 2018), companies could face could face fines of up to 4% of their global annual turnover during the e-Discovery process. Here are a few other ways this litigation will change the way organisa­tions approach data privacy: 5 THINGS YOUR IT TEAM NEEDS TO KNOW ABOUT DATA PRIVACY JOHN WOOLLEY | Iron Mountain Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history. Example: a user could request to have his or her Twitter profile removed. Consumers have the right to transfer their data from one company to another. Example: A con­sumer could request that all of his or her data related to an online shopping purchase be sent to him so that his personal prefer­ ences can be used by a new preferred retailer. 5 THINGS YOUR IT TEAM NEEDS TO KNOW
  • 9. 95 THINGS YOUR IT TEAM NEEDS TO KNOW Companies that handle significant amounts of data will have to employ a data protection officer. Stewart Room, head of data privacy at PwC, explains: “The scale and breadth of the EU’s changes to privacy rules will deliver unprece­ dented challenges for business and every entity that holds of uses European personal data both inside and outside the EU” — BBC 4. Reconsider what information needs to be kept and how. Some information needs to be kept online, while other information can be archived for long-term storage. Keep a redacted, easily accessible copy online with enough to affirm business requirements, while also reducing the exposure to customers/employees. This will ensure that you aren’t as heavily affected in a breach (and that your customers and employees are protected). This about how this is traded off against latency of recovery for a fully pop­ ulated offline copy. If you’re worried about managing the archival information located on tapes because you don’t have the resources internally and/or want to focus on core business, consider partner­ing with a vendor that can provide a managed tape service. 5. Keep Employees and Customers Top of Mind. Know how much personal information your organisation is keeping on its employees and customers and the existing practices around this data. Build up your organisation’s passwords and firewalls, and educate both groups about following data privacy best prac­ tices. You’ll also want to reach out to senior leadership to get them on board with your data privacy policy and keep them in the know.
  • 10. 10 I have a strong opinion around why organisations continue to store so much unstructured data. Many IT professionals simply do not have the time to wade through best practises for retention, nor are they given a solid steer by the business itself—unless there has been significant investment in a compliance team. Danger arises when a lack of policies means a default decision to keep all data forever. In this case, storage and backup solutions become a major financial burden to an organisation. How do you begin to define your retention policies? Follow these five steps: 1. Establish global baseline retention policies. Begin by establishing a baseline (or minimum) retention. If you are a multi- national, you’ll need to understand potential worldwide applicability for certain types of records. Your policy should provide flexibility for different countries to exercise their discre­ tion to lengthen or extend these baseline retention periods, based on valid legal or business needs. 2. Access accounting and tax records. Governments impose a legal requirement to protect their ability to collect taxes. To do this, they must have access to accounting records to scrutinise during tax audits. Because of this, accounting and tax records are the biggest target for records retention. Virtually every country has enacted laws that mandate the retention of ledgers, journals and other books of account, as well as additional supporting documentation such as vouchers, balance sheets, records of goods bought and sold and inventories of stock. These retention require­ments are found in the commercial codes of country laws and/or in the tax codes. Typically the retention period is five to 10 years; however, this is not applicable to all systems and data that pertains to accounting records, structured or not. Finally, bear in mind that I’ve still to date to meet an accounts department who will delete data from a financial system. This is important to remember when dealing with archives derived from backup. 3. Understand the impact of general/ corporate legal documents. After accounting records, general corporate/legal documents are the most frequent target for retention laws. Requirements for these documents typically appear in the business corporation laws or com­mercial codes of the countries in which 5 STEPS TO DEFINING YOUR RETENTION POLICIES JOHN WOOLLEY | Iron Mountain P OLICY TAX REC ORDS DOCUMEN TS LIMIT ATIONS FUNCTION 5 STEPS TO DEFINING YOUR RETENTION POLICIES
  • 11. 11 organisa­tions operate, and they usually apply to all businesses domiciled within the country, including units of foreign-owned, multinational corporations. Although they vary in coverage and specificity, these laws typically mandate the retention of records such as minute books, articles of incorpo­ration, shareholder registers, financial statements, deeds and other documents serving as evidence of the legal status and ownership of the business. Some countries have specific laws about record retention, while others have more general laws. The retention periods range from three years to permanent; 10 years is the average. The average retention period is 10 years. The intent here is to ensure the preservation of records of closed businesses through the period of receivership and payment of creditors or other legal distribution of assets. 4. Follow statutes of limitations. Statutes of limitations — or periods of prescription, as they are called in civil law countries — are a major factor in establishing retention periods for business records. These laws are not require­ ments to retain records; they simply specify how long parties can sue or be sued concern­ ing a certain matter. Multinational companies have a major interest in retaining such records, as they may be needed to institute legal proceedings against other parties or to defend themselves against unwarranted claims brought by other parties. These records may define and limit risk and liability in terms of retention. The following matters are most relevant to records retention: General contracts: Retention requirements range from one year from discovery of breach in China to an average of six years from the last date on which action took place in the United Kingdom. Taxation: Retention requirements range from an average of five years in Brazil and Germany to 0 years, in cases where taxpayers fail to file a return or file a false return for purposes of evad­ing taxes in Thailand. Product liability: Retention requirements range from 3 years from the plaintiff ’s aware­ness of damage in Finland to 30 years in cases where product defects have been fraudulently concealed by the seller in Germany. Personal injury: Retention requirements range from 3 years from the date on which the cause of action occurred in Ireland to as much as 20 years following the event that caused the damage in the Netherlands. Once the relevant laws have been discovered, multi­national records managers should work with their legal counsel to incorporate them into retention policies of global coverage. 5 STEPS TO DEFINING YOUR RETENTION POLICIES
  • 12. 5. Incorporate Business Function Scoping. Once the baseline has been established along with consideration for legal protection, you can then delve into the rest of the business units. Further, the legal research should be defined by business functions. These include: • Environmental management/Facility and property management • Human resources • Employee health and safety • Insurance/risk management • Intellectual property (patents, copyrights, and trademarks) • Manufacturing • Payroll/compensation, salary and wage administration • Property/land management, Purchasing/ procurement • Quality control/assurance • Regulatory affairs • Research and development • Sales/marketing • Security • Shareholder relations Once you have your retentions in place, consider a robust automated policy for deletion of data if online or archived, unless you have a vendor like Iron Mountain managing the lifecycle for you. Consider the impacts if you had the right retention policies in place, the correct tools to move data, the ability to provide search functions and the best possible cost medium on which to store your data. What would that do to alleviate the continuous issues of storage, backup and disaster recovery? BUSINESS UNITS/FUNCTIONS UK-DM-EXT-EBOOK-032116-001 08445 60 70 80 | ironmountain.co.uk ABOUT IRON MOUNTAIN. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Web site at www.ironmountain.co.uk for more information. ©2016 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks and registered trademarks are property of their respective owners. Visit our data privacy protection zone ironmountain.co.uk/data-privacy For more information….