What does the EU-US Privacy Shield mean for your business?

Image credit: iStock/Wutlufaipy

Understanding regulations concerning data transfers, cloud computing and cyber security can be difficult enough if all of your data is handled in a single country. However, if aspects of your data are stored or processed on servers hosted in another country, this means understanding how that country's regulations can affect your business too.

Considering which other businesses you're working with and which cloud provider you're going to go with needs to include looking at where your data will be physically hosted, as well as how easy it is to access and transfer. Not only is this because your company needs to ensure that data is as safe as possible, you may also find that you're subject to penalties if you breach any laws and regulations.

One of the biggest things affecting data transfers and hosting in other countries is the EU-US Privacy Shield. This shield came into effect on July 12th last year and covers the transfer of personally identifiable information between the US and countries throughout Europe. 

It affects any businesses within Europe that transfer data to America, with companies in the US needing to be specifically certified to handle it. All data entering the US from Europe needs to be shielded from mass surveillance methods used in the country, offering specified levels of protecting and processing methods. Sending data to or hosting it with an American company that does not have this certification can mean you are in breach of EU law, which can result in strict penalties.

Not only should you ensure a service in the US you are using is correctly certified when you first take it on, it is equally important to be aware of any changes to legislation later on that could affect your data and put you at risk of penalties. Failing to do this will be classed as the fault of your company and could also mean that any data you thought was protected is not completely safe.

One thing that will not affect the EU-US Privacy Shield is Brexit, as any company that is storing or processing European data will be subject to the same regulations even once Britain is no longer a part of the EU. This means that your company still needs to ensure regulations are followed in full to avoid any repercussions beyond data no longer being secure.

All of this means that looking at the actual location your data is going to is just as important as assessing how you are going to transfer, process or host it. This is because you will be subject to a different set of laws on top of UK and European regulations, which can make business incredibly complicated. 

This is especially the case once the General Data Protection Regulation (GDPR) comes into effect on May 28th, 2018, which will restrict when and how data is moved outside of the EU, even if you are working in compliance with the EU-US Privacy Shield. The GDPR applies to temporarily transferred data, as well as storage of EU-data in other countries. On top of this, the GDPR will be regularly reviewed, keeping businesses on their toes as regulations will likely change each year.