The recent Schrems II invalidation of the EU-US Privacy Shield has added a layer of difficulty for organizations that operate across borders, as they now require additional contractual clauses and measures in place to ensure data can transfer freely.Organizations that may have previously been reliant on the Shield as a factor in ensuring any EU data could be exchanged and processed by countries, including the United States, without a GDPR adequacy ranking, face significant obstacles in ensuring that the appropriate safeguards, by means of Standard Contractual Clauses and data transfer agreements are in place to avoid a violation and hefty fine from the regulator.
This is no small feat for MNCs operating in a multitude of countries across the globe. Each data importer now requires a separate due diligence process to be conducted and a separate contract to ensure that information it receives and processes is maintained with the same standards as those outlined within the country of origin. Those familiar with the three sets of Standard Contractual Clauses (SCCs) and the new guidance around SCCs trickling down slowly from the EDPB will recognize the level of effort that is required to manage these contracts and ensure continued compliance.
Privacy program management vendor Proteus-Cyber has recently introduced a streamlined solution to its NextGen enterprise software that helps organizations manage their complex environment and multiple operating locations in the aptly titled Transfer Impact Assessment (TIA). The TIA consists of a pre-configured survey that enables the DPO or privacy manger to have a centralized overview of all SCCs that the organization has in place with respective data importers, which can consist of both subsidiary companies or separate vendors and third parties that process data on the controller’s behalf.
One key feature that privacy professionals can benefit from within the TIA is the ability to customize based on country-specific guidance around data transfers and requirements issued by national data privacy regulations. For nations even within the EU that have separate requirements for data processing and transfers, the TIA can be altered to reflect these specifications to ensure that all obligations are being met.
Additionally, Proteus-Cyber’s TIA feature integrates and builds off of the NextGen Data Privacy product to provide technical insight into the sensitivity of the information being transferred, to where and how it is being transferred, and the appropriate security controls in place around protection of the information on the end of the data importer. It is a holistic, full-spectrum solution to help manage the Schrems II-incited stress of MNCs and global entities.
Source: Proteus-Cyber Vendor Briefing, Proteus-Cyber
The July 16th ruling by the CJEU served as yet another nudge for organizations that view data privacy as a simple checkbox to take a proactive and case-by-case approach to privacy processes and the overall integration of data privacy within the organization’s operational streams. And although we still await the final changes and updates from the EDPB to the three sets of SCCs, we expect a noticeable increase in the level of scrutiny applied throughout the revised terms in relation to expectations around a data importer’s data protection processes and controls.
Added scrutiny means added work for those within the DPO, PO, or legal function within multinationals. Ensuring that the internal data privacy standards meet requirements is enough of a challenge, and this is now piled under ensuring appropriate measures have been taken by all subsidiaries or third-party importers. The complexity of this process has been taken into account by Proteus-Cyber and simplified with the launch of the TIA feature. The TIA’s ability to draw on information obtained through Proteus NextGen and effectively ensure that any third parties to which data is transferred meet all requisite conditions is a game-changer in the privacy program management and legal and compliance sphere.
The tool provides an automated approach to a process that would be more than a headache to perform manually, but still relies on external validation and checkpoints throughout to ensure the data transfer agreement meets all requirements. Proteus-Cyber’s TIA feature is an optimal combination of efficiency and customization and has set the bar high for other privacy program management and compliance software solutions to follow suit.
TrustArc is partnering with BigID to add protection of sensitive data to its roster of data privacy and compliance capabilities. The move closely follows a partnership announced by two other major players in the data privacy and governance space, OneTrust and Integris.
An acquisition borne out of its users’ primary needs, OneTrust’s recent integration with data discovery giant Integris optimally positions the privacy program management software vendor against competitors in the market.
Data intelligence software vendor Alation has made the move to emphasize data governance amongst its solution offerings to make the data catalog a dynamic platform for “a broad range of data intelligence solutions.”
The industry’s first self-service privacy software solution Ethyca receives its second round of investor funding, aptly timed with the release of Ethyca Pro. The privacy management solution provides full automation capabilities for data mapping, data subject requests (DSRs), and consent management for various international privacy regulations.
To further capabilities in the data privacy space, top-tier vendor OneTrust has acquired Integris, another leading vendor within the data discovery and classification sphere. This is a two-part note that focuses on the acquisition and anticipated synergies between the two companies.
AI-powered privacy is here to stay, driven by the innovative team at SECURITI.ai. The company injects automation through AI with its PrivacyOps solution, PRIVACI, taking the effort out of mapping out personal data within its various repositories.
The privacy management software space is rapidly becoming crowded with vendors all looking to add value. 2B Advice has released the most recent version (7.0) of its software, emphasizing the support tools needed to build a privacy-aware culture.
In response to criticism over data collection practices, Google is introducing default deletion of location history in its web and application activities for new accounts.
Proteus-Cyber, a leading vendor within the privacy program management space, has added two standout features to its current privacy software offering. The Threat Intelligence feature tracks and links directly to CVEs discovered daily and can be integrated within the IT asset register of current Proteus-Cyber NextGen Data Privacy users.