The Data Privacy Radar is an ongoing series by our data privacy team to explore compliance and information governance issues for organizations around the world. Check out the other posts on the US federal perspective and the Cloud Computing Compliance Controls Catalogue (C5).
Connected, digital enterprises do business around the world, and exist virtually without borders, regardless of where they are located. Data is constantly exchanged and processed by a company's customers, employees, partners and vendors. Naturally, approaching data privacy governance from a global perspective in today's world is not an option, but a necessity.
Let’s take, for example, a financial services company based in Frankfurt but serving clients in New York, Singapore, and so on. Financial transactions containing personal data from clients of this company are transferred from one country to another, subjecting those data transfers to the data protection requirements of different jurisdictions.
In addition, a big concern and topic of discussion is the upcoming General Data Protection Regulation (GDPR), which protects the right of individuals to access to their data and ensures fair data processing, among other requirements. The GDPR is generally considered to be the new gold standard of personal data protection, as data is transferred and processed around the globe.
Is it impossible for the financial services company to make data transfers within the requirements of over 190 countries, each of who have their own state, provincial, and federal data laws? Is it impossible for these data transfers to meet the new high watermark, the GDPR?
Meeting the Recognized Gold Standard for Data Privacy
Our philosophy is to evaluate and meet the highest bars for data privacy globally, and help put organizations in a very good position toward meeting different data privacy obligations across jurisdictions.
With that philosophy in mind of meeting the highest bar we could, Box underwent the lengthy Binding Corporate Rules (BCRs) approval process by the EU data protection authorities (DPAs), who focus on the organizational and technical measures the applicant has put in place to safeguard the personal data transfers of its customers and their clients. After the arduous review process, Box received approval for its Global Processor and Controller BCRs enabling us to transfer personal data outside of the European Economic Area (EEA), in accordance with the European data protection regulations.
It was no surprise that the high bar for data privacy accepted the high bar for data transfer. The GDPR recognizes these BCRs as valid mechanisms for the transfer of person data from the EEA, including from the EU member states, to the United States.
So when the GDPR comes into effect in May of 2018, an organization is well-positioned to address GDPR for protecting EU personal data that is processed by Box.
Personal Data Transfers Beyond Europe
And what about when the example company transfers data from other regions?
While BCRs are recognized by many jurisdictions through the world, even outside of the EEA, the APEC Cross-Border Privacy Rules (CBPRs) additionally protect organizations in Asia and several other jurisdictions. Complementing its Global BCRs, Box’s secured approval for CBPRs, which add another layer to Box’s efforts to help its global customers meet their privacy obligations in an efficient and compliant manner.
Data Privacy Governance Requires a Holistic Approach
Today’s data knows no boundaries, regardless of where your customers are or what industry you're in. So how does an organization meet the regulations of all these countries and meet regulations like the GDPR?
The only practical, yet comprehensive way to do this is to ensure that you are working with services that meet the highest watermarks globally of data privacy governance.
During the upcoming weeks in this Data Privacy Radar series, we will touch on the most pressing compliance and information governance issues for organizations around the world. Stay tuned for more from myself and colleagues on meeting US federal requirements, complying with GDPR, and other developing trends in data privacy governance.
In the interim, learn more about how Box can help organizations address in-region data residency concerns by downloading our Box Zones datasheet.