Infosecurity Group Websites
Latest
News

DPOs Encouraged to Act Now on Invalid Privacy Shield

Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.

Speaking on a conference call after the earlier decision around Privacy Shield being declared invalid, Cordery partners Andre Bywater and Jonathan Armstrong called the announcement “among the most eagerly awaited” in the field of data protection.

Bywater advised listeners that it is worth them doing some due diligence “to see who they are sending data to so they are fully protected.” He said he had not expected Privacy Shield to be invalidated, and it has been declared invalid due to concerns around US domestic law and the access and use of European residents’ data.

With it appearing unlikely that there will be any type of grace period, he recommended putting in SCCs where there is an issue. An SCC is an obligation imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.

Armstrong said it may be the case that SCCs are “probably the only game in town for people” and depending on national challenges, we “could end up with the nightmare where some authorities accept SCCs and some do not.”

Armstrong explained that he does not expect a new and improved version of the Privacy Shield, and while there are more groups that have brought challenges, he is not convinced there would be any short term solution. “We are in a different world post-GDPR, and there are more powers to enforce, so Data Protection Authorities (DPAs) have to step up,” he said. He also argued that any new version of Privacy Shield would “be likely to have more teeth as a result.”

Asked by Infosecurity if BCRs are a better option, Armstrong said they have a different foundation in GDPR and are specifically there to transfer data, but this cannot be done overnight and a sponsoring DPA will need to be found to approve it and take it to other regulators, and that process could take eight to nine months minimum. “It is not a quick fix and you will need interim plans,” he said.

Looking forward, Armstrong said that had Facebook still completed data transfers last night, it could have problems and this could be an overall concern for social media companies. “Most organizations have got to react today or tomorrow and have a plan, it will not be foolproof and include communications and FAQs,” he said.

“There may be some political fudge, and there may be a ‘keep calm and carry on’ message from (vice-president of the European Commission for Values and Transparency) Vera Jourova, as she has bigged-up privacy rights and this is a difficult political tightrope for her and enforcement will be proportionate to give her a chance to create a plan, but aggrieved individuals and pressure groups are not as patient as a regulator could be.”

Bywater said regulators will be taking a much closer look at SCCs and may ask to see them and see where you transfer data, “so take a closer look at what you have in place as this is not something that will go away.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Walmart Sued Under CCPA After Data Breach

2
News

Malicious Router Log-Ins Soar Tenfold in Botnet Battle

3
News

Twitter Staff Tricked in Celeb Account Hijacking Campaign

4
News

More Malware Found Hidden in Chinese Tax Software

5
News

Data Breach at Texas Benefits Recovery Firm

6
News

FBI Issues Cybersecurity Warning to Air Travelers

1
Interview

Interview: Arti Lalwani, Practice Lead for ISO Services, A-LIGN

2
News

DPOs Encouraged to Act Now on Invalid Privacy Shield

3
News

Government Promises IoT Security Enforcement Body

4
News

Cloud Configuration Error Exposes 260,000+ Actors

5
Opinion

Cybersecurity Recuperation: Ensuring a Safe Return to Work

6
News

Russia Operatives Accused of 2019 Election Interference

1
Webinar

The Impact of Artificial Intelligence on Cyber-Resilience

2
Webinar

Mitigating the Security Risks and Challenges of Office 365

3
Webinar

From Governance to Implementation to Results

4
Webinar

Malware in IoT, Crypto-coins & Smart Devices - Prevention and Appropriate Action

5
Webinar

Building a Diverse, Skilled and Evolved Security Team

6
Webinar

ISO 27701: The New Privacy Standard, and How You Can Get Certified and Compliant

1
Interview

Interview: John Hertrich, President and CEO, Identité

2
News

Zoom Patches Legacy Windows Zero-Day Bug

3
Blog

Managing the Cybersecurity Threat Landscape with a Standard Approach

4
News

Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach

5
Opinion

A Concerning Proliferation of SIM-Swapping Fraud in Europe

6
News

Alert Fatigue and Overload an Issue for Majority of Security Analysts