No matter where you are located, or where the data you are processing comes from, you will need to be sure the data is transparent before new privacy rules come into place in May 2018.
Under the EU’s General Data Protection Regulation (GDPR), personal data can flow can between the 28 EU countries as well as Norway, Liechtenstein and Iceland. Transfers to any of the 11 countries the European Commission (EC) deemed to have an "adequate" level of protection is also still possible.
In a white paper, Focus on Five High-Priority Changes to Tackle EU GDPR, Gartner discusses new GDPR rules and makes some recommendations.
The GDPR introduces two additional mechanisms, said Gartner:
- Codes of conduct demonstrate to regulators and data subjects internal regulation and strict adherence to certain (privacy) standards. This is interesting for any organization which resides outside of, but does business with parties, within the EU.
- Certification (or "privacy seal") will most likely be developed at an EU-central level, and will be relevant for data processing organizations outside the EU as well. Not much detail is yet available on a common seal that may replace the variations in existence. Intended certifications and seals require action from the new European Data Protection Board first, to be eligible as appropriate mechanisms.
Gartner makes the following recommendations:
- EU-based data controllers should pay specific attention to these mechanisms when selecting or evaluating data processors outside the EU. Make sure the appropriate controls are in place and add these as requirements to your contracting procedures.
- All Gartner clients outside the EU, processing personal data on EU residents, should select the appropriate mechanism to motivate and ensure compliance with the GDPR. Seek legal advice and select the right third-party oversight.
Borders are meant to be crossed, but – with personal data – they can get tricky. The next and final step in Gartner’s white paper will address preparing for your data subjects to exercise their rights.