reach Cross-Border Data: Managing the Risks People. Partnership. Performance.

Similar documents
Google Cloud & the General Data Protection Regulation (GDPR)

Accelerate GDPR compliance with the Microsoft Cloud

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

EU General Data Protection Regulation (GDPR) Achieving compliance

Protecting your data. EY s approach to data privacy and information security

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

IBM Compliance Offerings For Verse and S1 Cloud. 01 June 2017 Presented by: Chuck Stauber

Information Security Policy

GDPR: A QUICK OVERVIEW

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Version 1/2018. GDPR Processor Security Controls

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

GDPR Update and ENISA guidelines

WORKSHARE SECURITY OVERVIEW

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

The GDPR Are you ready?

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Checklist: Credit Union Information Security and Privacy Policies

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

General Data Protection Regulation (GDPR)

Best Practices in Securing a Multicloud World

NetApp Private Storage for Cloud: Solving the issues of cloud data privacy and data sovereignty

ARE YOU READY FOR GDPR?

Data Management and Security in the GDPR Era

Oracle Data Cloud ( ODC ) Inbound Security Policies

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

Recommendations on How to Tackle the D in GDPR. White Paper

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

A Practical Look into GDPR for IT

HIPAA Security and Privacy Policies & Procedures

Run the business. Not the risks.

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Continuous protection to reduce risk and maintain production availability

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

EY s data privacy service offering

Twilio cloud communications SECURITY

Data Leak Protection legal framework and managing the challenges of a security breach

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

The Role of the Data Protection Officer

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

BUILT FOR THE STORM. AND THE NORM.

Data Protection Policy

01.0 Policy Responsibilities and Oversight

Vulnerability Assessments and Penetration Testing

SECURITY & PRIVACY DOCUMENTATION

SOC for cybersecurity

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

Data Protection and GDPR

GDPR Workflow White Paper

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Privacy by Design and the GDPR

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Prohire Software Systems Limited ("Prohire")

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Cyber Security and Cyber Fraud

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

Common approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

An Overview of ISO/IEC family of Information Security Management System Standards

MEETING DATA PRIVACY AND SOVEREIGNTY CHALLENGES IN THE CLOUD ERA

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Keys to a more secure data environment

Where s My Data? Managing the Data Residency Challenge

Getting ready for GDPR

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Information Security Strategy

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

How WhereScape Data Automation Ensures You Are GDPR Compliant

GDPR COMPLIANCE REPORT

ASD CERTIFICATION REPORT

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Secure HIPAA Compliant Cloud Computing

Canada Life Cyber Security Statement 2018

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

DATA PROCESSING AGREEMENT

Village Software. Security Assessment Report

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Motorola Mobility Binding Corporate Rules (BCRs)

BHConsulting. Your trusted cybersecurity partner

Cyber Security Strategy

How unified backup and cloud enable your digital transformation success

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

KSi Malta Privacy Policy

Kroll Ontrack VMware Forum. Survey and Report

CA Security Management

Transcription:

reach Cross-Border Data: Managing the Risks People. Partnership. Performance.

Focus on four areas to mitigate the danger of data transfer across borders Cross-border data transfers are not only frequent, but often crucial components of everyday business. Today s patterns of global data flow would be unrecognizable to a technologist of 20 years ago, and developments in global communication networks and business processes continue to evolve at a rapid pace. Along with a general increase in cross-border data activity, there has been an associated increase in cross-border litigation and, therefore, in data discovery activity. Discovery cases involving law and regulations including the Foreign Corrupt Practices Act (FCPA), International Traffic in Arms Regulations (ITAR), Commercial Bribery Crimes under the criminal laws of the People s Republic of China, and the UK Bribery Act have also risen dramatically. These advances in data transfer technology have delivered a host of business and user benefits, ranging from the ability to take advantage of a global distribution of work and knowledge, 24-hour business operations, and convenience for users and customers. However, this innovation has also exposed a whole new world of data vulnerability. Moreover, the unprecedented adoption of external cloud storage solutions increases the potential risks for those unaware of the provider s physical geography utilized for the storage of data. There is also the potential for violation of national and international data transfer regulations and/or privacy laws. These latter risks are becoming more common as more countries implement or update laws that regulate cross-border data transfers. Typically, these laws either forbid cross-border transfers unless certain conditions are met or impose regulatory obligations upon the transferring companies. Sanctions for violating the European Union s privacy regime will increase significantly with the introduction of the General Data Protection Regulation (GDPR) effective on May 25 2018 with the threat of fines up to the greater of 20,000,000 or up to 4 percent of annual global revenue. In combination with these increased sanctions, the more stringent control of EU citizen data regardless of geography stored, more frequent incidents resulting in reputational damage, and governance surrounding data storage and movement are increasingly on the radar of privacy, risk, compliance and business leaders in corporations worldwide. Here are four key areas of focus for your company or firm to bolster data transfer across borders: 1. Awareness Because information technology and privacy legislation around the world changes so quickly, legal and technology practitioners must be informed regarding best practices, applicable laws and regulations and security protocols to keep data safe within data centers, during transit between data centers, and in connection with a cross-border transfer. Familiarity with international data privacy www.epiqglobal.com Cross Border Data 2

and protection-related laws and regulations are also essential. Although no generally accepted definition of the term data privacy exists, nor does a generally accepted framework for documenting and defining adequate data protection ; a commonly accepted lexicon is useful. For the purposes of this article, the following interpretations of these phrases will be used: Privacy Protection of any individual s data, Personally Identifiable Information (PII) or Non Public Information (NPI). Data Protection Aspect of privacy encompassing controls and safeguards that govern the processing, storage or transfer of an individual s data. It s also important to realize that the scope of cross-border dataflow issues is often broader than anticipated. Issues can arise in numerous regulatory arenas such as financial services law, labor law, tax law, etc. However, this article focuses only on issues related to privacy and data protection. 2. Governance Data privacy challenges often begin long before international data transfers come into play, such as at the data governance level. At present there is no standards-based model (e.g., ISO 27001) to leverage. However: ISO/IEC 27017 covers information security aspects of cloud computing. ISO/IEC 27018 covers privacy aspects of cloud computing. ISO Standards will not address the entire scope of the privacy solution, however ISO/IEC 29101:2013 IT and Security Techniques for Privacy architecture framework, ISO/IEC 2700X series for Information technology security techniques, and specifically ISO/IEC 27017/18 in conjunction with privacy within a cloud context start to provide guidelines and best practices when defining the nature of the systems holding PII/NPI. The Information Governance Reference Model ( IGRM ), which can be found at http://www.edrm. net/projects/igrm, is analogous to the Open System Interconnect (OSI) Reference Model of Transmission Control Protocol/Internet Protocol (TCP/IP), as well as the Electronic Discovery Reference Model ( EDRM ). The former describes how data from an application on one computer can be transferred to an application on another computer, and the latter describes how data should move through the electronic discovery process. The IGRM dramatically improves the ability to enable consistent interoperability between highly disparate systems and processes. The same conceptual model is required to facilitate addressing the privacy and cross-border data security challenges faced by companies today. An organization s relative information governance may also be assessed by a variety of maturity models in order to more formally benchmark progress. (See, e.g., http://www.arma.org/r2/generally-acceptedbrrecordkeeping-principles/metrics). 2. Mitigation strategies - information lifecycle To protect data effectively when addressing crossborder data issues, you must consider the lifecycle of the relevant data. Records management models provide an excellent starting point for identifying technical and administrative security and privacy controls that apply well to cross-border data transfer challenges, acting as accountability frameworks for information management as a whole and including natural checkpoints for each step of international data transfer. The basic components of data s lifecycle are as follows: Create/Capture Index and Classify Store/Manage Retrieve/Publish Process Archive Destroy www.epiqglobal.com Cross Border Data 3

Create/Capture How you receive or create data, whether it s captured from a website, a file transfer or a physical acquisition, will affect how it should be handled. Each point of entry requires different forms of protection. Commonly accepted secure methods for creation and capture for each type of procurement are as follows: Website capture: Secure Socket Layer (SSL) File transfer: Secure File Transfer Program (SFTP), Virtual Private Network (VPN), file encryption Physical: Secure media room to image and ingest the data, background checks of personnel Index and classify Now that the data has been securely acquired, you must be sure to apply the appropriate rules. The first step is to identify the type of data acquired. Is it personally identifiable information (PII) or other sensitive or protected personal information? Does it contain images? Documents? What kind of documents? Carefully sifting and sorting the data into the correct bucket types will greatly aid compliance with international data privacy regulations. legacy content can be fed into day-forward index and classification initiatives, thus remediating any previously overlooked PII residing uncontrolled within the environment and reducing risk of unintended transfer of PII across borders. Store/Manage Based on classification, how do you provide adequate protection? Where will it be stored? This information will drive what protection controls are applied. If the data is PII or potential PII, then there may be a legal requirement to store the data in a disk-based encryption format and encrypt backup copies of the data. Data at rest is no less at risk of loss than data in transit. With strong characterization approaches it becomes easier to apply relevant storage regimes. Understanding if content is classified as PII determines if the data requires enhanced security, such as encryption, at the storage layer and whether the data may be stored in more cost-efficient means, such as hosted cloud, or if a local on-site facility is required. Retrieve/Publish The next challenge for a data transfer across borders is how to securely transfer the data across the border, and then make it available for use. Where programs are implemented retroactively, it is essential that consideration is given to look back across the legacy data stored in the organization. Provision of high-level characterization of the www.epiqglobal.com Cross Border Data 4

Encrypt at each step of the process When transferring In storage While displaying Leverage encryption key management to prevent decryption of protected data in countries to which the data is not allowed to be transferred. Control access to systems that can access the data and network paths that can introduce cross-border data transfers. Process When the data is no longer needed for production purposes, where do you store it long-term in compliance with your data retention policy and applicable legal requirements? Is the backup onsite or offsite? Do your archives or backups cross international borders? Are the backups governed by another country s privacy and data protection laws? The answers to these questions will help you to ensure that all potential risk areas are mitigated. Destroy At every stage, ensure protected data is rendered unusable, in accordance with applicable legislation. Ensure appropriate, documented and secure destruction of archives, files, physical copies and any other copies created during the lifecycle of the data. 4. Continuous validation and response Even with the most robust policy, process and systems, continuous vigilance is required to validate that selected controls are effective. Monitor changes to the regulatory and security landscape as they rapidly advance, generating new requirements and vulnerabilities. Leverage the ISO 27001 framework for Information Security Management. This ensures a continuously improving and validated data protection and risk mitigation strategy. Develop a strong incident handling and remediation program to rapidly remediate identified challenges in compliance or technical security controls. Maintain a data map and understand how IT relates to data you store, who has access and what controls are in place. Characterize and regularly review stored data to ensure data storage and controls are working as expected and uncontrolled silos of data for convenience do not undermine applied policies. Ensure that your incident-handling program can manage a breach of data that has cross-border or inter- or multi-jurisdictional ramifications. Exceptions Make sure you have processes in place for data excepted from regularly scheduled destruction cycles. Data subject to legal holds and discovery requests, as well as data exported for a case that takes it outside the ordinary retention period, is commonly excepted from data destruction for the duration of the matter at hand. www.epiqglobal.com Cross Border Data 5

Conclusion In conclusion, although much discussion has occurred around the creation of international standards for data security and privacy Conclusion controls, a true international set of standards has not yet been published. Until then, meaningful protections for data both domestic and international will remain an issue for organizations of With all kinds. the advent Companies of mobile conducting workforces, business ubiquitous internationally, contracting connectivity, with smart international phones, tablets, vendors and or hosting the cloud, data the with international majority of documents data center created providers today must are develop electronic, effective strategies and the bulk to meet of these their documents current and are future never obligations printed to related to international paper. With data the explosive transfer and growth data of security ESI, businesses best practices. must be ediscovery-ready across all countries in which they Overall operate. areas Robust of focus systems for increasing for capturing, global categorizing data security: and retrieving key documents and data are necessary to ensure Awareness that information (Is your organization is rapidly retrievable aware of the regardless challenges?) of type Governance or location. (What is your information governance model?) Mitigation (Are you protecting the data and meeting legal Electronic requirements discovery is at further each phase of For your many data s organizations, lifecycle?) the most complicated by the cross-border reliable way to meet the challenges Validation and Response (Is your strategy effective?can you activities and businesses of today s of ediscovery is to partner with an adequately respond and remediate?) organizations. This is because complying with multiple regulatory regimes and being prepared to experienced ediscovery provider, who can guide them through the process and make sure they are ready Individuals, governments and businesses all have a stake in respond to inquiries with due and able to respond. It is imperative data transparency security, and whether speed requires they re deep directly that the provider involved chosen or not. has a Staying up expertise and experience with cross- wealth of experience in the fields of to date on best practices, implementing an effective, practical border data rules and local regulations, law, technology and business. By information governance program, identifying effective mitigation as well as tools, processes and partnering with the right provider, techniques, technologies that and effectively continuous facilitate validation companies combined can face today s with ediscovery strong ediscovery both within and across challenges with total clarity, efficiency incident response will enable organizations to meet the challenge international borders. and confidence. of cross-border data transfers and security. Cross-border data security and privacy concerns are addressable. Follow and develop the key processes and competencies, and you ll be ready for impending regulation. Disclaimer: This publication is intended for general marketing and informational purposes only. No legal advice is given or contained herein or any part hereof, and no representations, warranties or guarantees is made in respect of the completeness or accuracy of any and all of the information provided. Readers should seek legal and all other necessary advice before taking any action regarding any matter discussed herein.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback