Regulatory compliance: data management and the EU-US privacy shield


Data privacy regulations from regional to national and international level are a major concern for all organisations. Companies need to be able to navigate a constantly changing regulatory landscape and handle their data in line with new and developing directives as they come through.

For example, the EU-US Privacy Shield initiative, which replaced the Safe Harbour agreement, may have passed its first review in September but it still has plenty of potential teething problems to address. In turn, that raises challenges for businesses trying to achieve compliance.

The programme, which was introduced in 2016 to protect personal data transfers across the Atlantic, is beset by a number of challenges including perceived low uptake, a lack of understanding about its practical implications and, crucially, the USA’s failure to appoint an ombudsman to monitor American compliance.

>See also: Privacy in the digital age: honouring the customer

It’s a good example of how regulatory compliance can be more complicated than it seems. In order to keep pace and help build a strong compliance programme, businesses need to ensure they have a strong data management capability in place.

The problem: uncertainty

One of the key problems facing the Privacy Shield is uncertainty. Around 2,400 organisations across both sides of the pond have certified their compliance in its first year, under half the amount that subscribed to Safe Harbour, which potentially undermines the new system’s authority.

At the time of writing, the US is yet to appoint a permanent watchdog to take complaints and ensure compliance, which brings into question the trust those 2,400 organisations can place in the Privacy Shield. It’s also hard to know what form the framework may take in a few years’ time. This is a large-scale example, but uncertainty is an issue surrounding the development of all new or updated privacy regulations.

That uncertainty is a problem if you’re trying to maintain a transatlantic business that involves any kind of personal data transfer (e-commerce or social media for example).

>See also: What are US companies’ view on GDPR?

There’s a dual concern that companies may risk regulatory penalties on the one hand if they fail to govern their data correctly, and on the other hand that they may end up spending considerable sums of time and money on compliance programmes that may become obsolete in a few years’ time. With this uncertainty ongoing, companies trying to achieve compliance have little solid idea of what to do and how long the Privacy Shield may remain in existence.

Improving compliance: manage that data

So how do businesses caught in the middle deal with these issues, whether they’re under the Privacy Shield or any other regulation? The answer lies in investing in a good data management strategy. Regulatory controls on privacy are never going to go away, so companies are always going to need to be able to keep track of where data is generated, resides and moves.

No matter whether regulations in their current form becomes the accepted standard or continue to change, a comprehensive data management strategy is an investment in the future of the business – not just in terms of compliance, but also with regard to efficiency and turnover.

Data discovery

The first step should always be to map out your entire data landscape. For many organisations nowadays, and particularly for those doing business in more than one continent, a large proportion of that data will be spread across multiple clouds and servers in multiple locations.

That means that a worthwhile data mapping programme needs to be able to get into every nook and cranny, and that the entire enterprise needs to be available to data discovery.

The organisation will need to ensure that all business divisions are enfranchised in the process, and that the solution it is using has the capacity and intelligence to provide a comprehensive overview.

>See also: Cloud service providers key to avoiding data regulation penalties

It’s not good enough to guess what you’re storing and where – there’s too much risk for both company and data subjects involved. Start with a clear picture of what data resides on your systems on both sides of the pond. Given the scale of the job, automation should be a key technical component of the programme, enabling you to reduce the time it takes to complete and providing a higher degree of accuracy.

With the ever-changing nature of most companies’ data landscapes, speed is also a cost-saver, as there’s less chance of a need to re-run the process – although data discovery should of course be an ongoing programme.

Governing your information

Once you’ve mapped out your landscape, the next step is to identify it and ascribe risk factors and actions based on sensitivity. As an example, a bank of customer contact details might be flagged up as high-risk, whereas office supply orders might be flagged as lower risk. With that information, you can then create data governance policies to protect sensitive information from misuse, mishandling or direct attack.

As with data mapping, data governance involves reams of information, and as such, it’s likely to be too much for a human team to handle on its own. Some of this information is already available within organisations, but it’s sitting in operational silos and often isn’t connected up. Businesses are going to need to have powerful automation capabilities in place for rapid, accurate data cataloguing – that might include cleansing the data as well if you have out-of-date or corrupted information.

>See also: 5 hot topics for information management in 2017

An intelligent data platform should be able to use pre-set indicators to make these decisions on its own, taking in a mass of unstructured data and turning out readable, usable insights and, with the introduction of AI, recommended subsequent actions.

The Atlantic issue

In the global economy, and with the dominance of US companies over the most popular online services in the West (social media, e-commerce and cloud storage, for example), international data movement is simply a fact of life. As hybrid storage models become the norm, there is always likely to be some information outside the physical boundaries of a company’s home country.

With that in mind, a strong cloud data management programme is a must. Companies that do business internationally in any capacity must make sure they have the tools in place to control their data and can comply with data privacy regulations at all levels. Those that don’t are potentially putting their reputation and their profits on the line.


Sourced by Andrew Joss, head of solutions and data governance, Informatica


The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Privacy