How GDPR Affects International Data Transfers

Now that General Data Protection Regulations (GDPR) went into full effect as of May 28, 2018, many companies seem to be rushing to comply with the latest guidelines on privacy. The reality is that data protection laws have existed for many years not only in Europe but also in many other parts of the world.

However, the introduction of the GDPR does have significant implications for all individuals and organizations. The GDPR aims to give more control of their personal data (known as personally identifiable information or PII in the United States) back to individuals and to simplify the regulatory environment for international business by unifying the regulations within the European Union (EU). Prior to GDPR, each EU member nation had its own data protection law. Another important outcome from GDPR is the process necessary to export personal data outside the EU.

Navigating Privacy Laws in the U.S.

Fair Information Practices (FIPs) form the basis for most data protection laws around the world, including in the United States. Take for example, HIPAA and JACHO in the healthcare industry and the Right to Financial Privacy Act of 1978 in the banking industry. These and other types of FIPs offer a useful checklist of information privacy issues that offer value in nearly every context. When a question arises, consult FIPs and see what it suggests you should do. You won’t get a specific answer, but you will find general guidance.

But what is exactly the personal data that your enterprise should guard in the first place? While the EU has a specific definition of sensitive information, the U.S. does not. Making assumptions about what constitutes personal data can be dangerous because there are cultural differences that affect how sensitivity is assessed. While trade union membership would rarely be considered sensitive in the U.S., it’s a highly sensitive issue in most European nations. On the other hand, most Americans consider financial information very sensitive, but it is not expressly included within the EU definition.

U.S. privacy laws have varying degrees of compliance requirements across industries. While federal law imposes comprehensive privacy rules on the health sector, the banking sector is subject to far less comprehensive rules. Many organizations are not subject to any privacy law at all. To make matters more complex, state laws sometimes apply as well. California and Delaware have specific children’s online privacy legislation; California, Connecticut, and Delaware have privacy legislation that affect website or online services; and Nebraska, Oregon, and Pennsylvania have rules on false and misleading statements in website privacy policies.

As you can see, there are many federal and state privacy laws addressing how personal data can be used and disclosed by companies and others. When privacy law is at issue, it’s a best practice to consult your legal department.

Highlight on International Data Transfers

With the GDPR, one issue that stands out above all is the transfer of international personal data. As the result of globalization, many enterprises have been able to expand their operations across borders and may have a presence in Europe. While it may seem that the sharing of information from an European division to an American division is just business as usual, it’s important to remember that the transfer of personal data is subject to regulation.

Even before GDPR, there was a privacy agreement known as Safe Harbor. Now, the EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies participating in the Privacy Shield program to protect European’s personal data. Currently there are over 3,900 organizations participating in Privacy Shield. It replaces and strengthens the previous agreement, Safe Harbor. Privacy Shield requires U.S. federal agencies to monitor, enforce more robustly, and cooperate with European Data Protection Authorities, and includes written commitments and assurance regarding access to data by public authorities.

Perform Due Diligence When Transferring Personal Data Across Borders

A company’s privacy notice is an important document. This is why you’re seeing many organizations sending out email notices about their privacy policies since May 25, 2018. A privacy policy tells the world how a company processes PII. It informs customers, employees, and regulators what PII is collected and how the PII is used and disclosed. It’s the best place for employees to look when questions arise about the rules.  For companies that are not expressly subject to a privacy law, a privacy notice can sometimes be enforced against the company by the Federal Trade Commission under its authority to prevent unfair or deceptive trade practices.

The privacy notice should be a readily available document in the library of your contract management software and it should become the first point of reference for employees when thinking about customer data. The EU regulates the export of personal data to other countries. Transfers from the EU to the United States can be accomplished under different justifications, but not all transfers can be done easily. EU data exports are especially complicated, while U.S. law rarely limits data exports. Still, instill in your employees that no international data transfers in any direction should be attempted without consulting company lawyers and privacy officers.

When the applicable law is not clear on this point, your enterprise will have to make its own judgment, in particular with regard to the security measures that should apply. A good benchmark is the likely risk of harm occurring to individuals if the relevant information is the subject of a security breach.

How Contract Management Software Can Help

The best way to ensure the privacy of your customers’ data is to make sure it is truly secure.  Contract management software providers are entrusted with housing and managing their customers most important and sensitive data – that which is found at the heart of the business agreements that exist between them and their suppliers, customers, and employees.  Ensuring that this data is secure, and yet always available to those who need it, is foundational to the contract management function.

Software from Contract Logix undergoes continuous security assessments and real-time monitoring to ensure compliance with the industry’s most rigorous security requirements.

Image Credit: Mohammed Hassan