The state of uncertainty is over. Well, it’s almost over. Tech companies have been operating in a whirlwind of confusion since October 2015, when the Court of Justice of the European Union (CJEU) declared Safe Harbor invalid as a framework for the transfer of personal data from the European Union to the United States.
Following the court’s ruling, politicians and regulators have searched frantically to find a substitute, which is now referred to as Privacy Shield, a safe framework for transatlantic personal data transfer.
Cross-border data transfers can include payroll, human resources data, health information, and even data used for targeted online marketing and advertising – a goldmine of information.
What Businesses Need to Know
With the EU-U.S. Privacy Shield now finalized and approved by European governments, privacy compliance is now a necessity for all global brands. However, research has shown that 95 percent of large enterprises are only “somewhat aware” of their legal obligations when it comes to complying with today’s privacy regulations.
With this in mind, it’s important that businesses of all sizes understand the cost of non-compliance, as well as the price of manually managing policies in-house. For example, a recent Data Protection Compliance Report by IT Governance shows that monetary penalties were more severely enforced for online breaches and cyberattacks than for other types of breaches, costing companies an average of about $68,000 per incident.
In addition, an organization’s compliance with Privacy Shield will be directly and indirectly monitored by a wider array of authorities in the United States and the European Union, possibly increasing regulatory risks and compliance costs for participating organizations. According to law firm Morrison Foerster, “An organization’s compliance with the Privacy Shield may be directly or indirectly monitored by the Department of Commerce, the FTC, the Department of Transportation (or other body with statutory authority), European DPAs, and private sector independent recourse mechanisms or other privacy self‑regulatory bodies.”
Perception Is Reality: Customer Edition
Lawmakers and institutions are not the only ones holding businesses accountable when it comes to data privacy. Companies also must answer to their customers. As data becomes the linchpin of business success, consumers are growing increasingly wary of how their personal information is being used.
According to the survey, “Consumer Trust Survey: Data in the Hands of Companies and Government,” more than half of the respondents indicated that they do not trust anyone with their personal data, including banks and retailers. Specifically, one-quarter trusts banking websites and 13 percent trust government entities, while a mere 2 percent trust mobile phone manufacturers, wireless providers, or big corporations.
Syniverse, a supplier of mobile software to network operators, conducted a survey among phone users in eight major markets – Brazil, Britain, China, France, Germany, India, South Korea, and the United States, which found that 75 percent of consumers did not trust even well-known marketing brands to take care of their data, with many of those, 55 percent, saying their trust had eroded in recent years.
As a response to the changing privacy environment and the challenges involved with keeping customer data secure and legally compliant under the consumer’s watchful eyes, many companies are now evaluating cloud-based customer identity and access management (CIAM) solutions, which can offload much of the cost, resources, and risk from businesses when it comes to maintaining privacy compliance. A CIAM platform helps manage customer authentication, identities, and data, saving significant development time and resources that otherwise would be spent managing regional privacy regulations. It also gives businesses the flexibility to structure registration forms and flows in keeping with regulations when implementing social login.
Hope for the Future
Now that the Privacy Shield has been approved, companies must ensure they are remaining compliant and will be able to certify with the U.S. Department of Commerce, starting today. EU organizations that wish to transfer personal data to the United States will be able to do so under law to any U.S. organization that is certified under the Privacy Shield. That being said, businesses should prepare accordingly.
Privacy Shield compliance can be confusing, but solutions exist to help businesses operate in the best possible way and to avoid racking up sizeable costs because of non-compliance. These solutions also can keep customer data safe, helping to alleviate concerns about lost or compromised data.
Patrick Salyer is CEO of Gigya. Patrick joined Gigya in 2007 and has led the company’s vision, strategy and operations. Before joining Gigya, Patrick co-founded a suite of social applications and served as a consultant for L.E.K. Consulting, a strategy consulting firm. Patrick holds a bachelor’s degree from Harvard University.
Subscribe to Data Informed for the latest information and news on big data and analytics for the enterprise, plus get instant access to more than 20 eBooks.