CIO, business must wield EU-U.S. Privacy Shield- Valutrics

A joint exercise

Miriam Wugmeister, a privacy and data security lawyer at law firm Morrison Foerster LLP, said if companies are going to wave privacy credentials such as those laid out in Privacy Shield, they need a “holistic” program that ensures that personal information is safe and secure in their data banks. And that requires collaboration.

“The data security folks, the CIOs and the chief privacy officers need to be joined at the hip,” Wugmeister said. “Because what they’re doing has to be seamlessly integrated so that the promises that you’re making can actually be supported by the technical and administrative measures that the CIOs are putting in.”

CIOs, she said, will also be instrumental in identifying the biggest risks. They need to communicate that to the business, help set the agenda and figure out what can and can’t be done.

“I saw one company say, ‘We’re going to encrypt all data.’” Wugmeister said. “What does that mean? Data in transit? Data at rest? You can’t encrypt all data all the time, because then you can’t use it.”

The EU-U.S. Privacy Shield isn’t the only way for European companies to ship data. Model contract clauses provide another mechanism for data transfers, as do binding corporate rules. Companies need to run risk assessments and then determine which transfer route to go — or even to not transfer data at all, Iannopollo said.

The important thing is to understand what each transfer option offers and what its implications are — that’s especially true of the Privacy Shield pact, she said.

“You cannot think to move data around regardless of the rules,” Iannopollo said. “It’s not an option anymore to think, ‘Yeah, I can do without following the rules.’”