Expert Comments on EU-US Privacy Shield

Following the recent approval of the EU-US Privacy Shield, Gavin Siggers, Director of Professional Services at Iron Mountain commented below. He addresses the way in which the new policy will guide US and EU organisations in storing, sharing and protecting the personal data of EU citizens, whilst also highlighting the economic importance of this policy to the UK. In addition to this, Gavin’s comment also explores the potential impact that Brexit will present to the implementation of the policy, outlining the importance for businesses to train and educate both themselves and their employees on the principles of data protection.

Gavin Siggers, Director of Professional Services at Iron Mountain:

“Businesses, understandably, have been in limbo over international transfer of personal data since Safe Harbour was rejected back in October 2015. After it was decided the proposed regulations didn’t provide adequate protection for the personal data of EU citizens in the US, many businesses have awaited the replacement and its expectations for handling this valuable data with caution.

This month’s approval of the new policy from the European Parliament brings Privacy Shield into action. The policy will guide the way US and EU organisations store, share and protect the personal data of EU citizens. This is in a bid to keep data safe, with stipulated guidance around stronger protection of TransAtlantic data flow and the fundamental rights of individuals whose data is transferred. The approved regulation also has a positive economic impact, as it supports billions of dollars worth of trade and facilitates international data transfers – essential to the British economy.

In addition to increased regulatory change, Brexit has also presented additional complexities. Despite the current uncertainty of how Brexit will impact Privacy Shield in the UK, organisations still need to ensure they are preparing to adhere to its stringent requirements. The initial step in this preparation process is firstly to understand what Privacy Shield demands of organisations when handling data across borders, as well as the ramifications of non-compliance, including fines of up to 300,000 euros.

For all data exports to the US there needs to be a full examination of which data transfer and protection processes will be affected by Privacy Shield – including online social plugins and analytical tools from America, such as Dropbox. These data export programmes put organisations in a position of less obvious non-compliance with many companies being unaware of the risks. To overcome the hidden threats and consequently the prevention of hefty fines, organisations need to ensure all exports from the US are aligned with the regulations of Privacy Shield.

Ultimately, businesses need to train and educate both themselves and their employees on the principles of data protection, including the expectations of Privacy Shield. Implementing a data management programme to cope with privacy changes right away and ensuring a cultural shift within organisations towards new more stringent regulatory demands for data protection are crucial steps for businesses to protect their reputations and bottom-lines.”