Nair & Co.'s Director talks about international data privacy regulations in Profit Magazine's 'Data without Borders

8/3/2019 Nair & Co.'s Director talks about international data privacy regulations in Profit Magazine's 'Data without Borders

http://slidepdf.com/reader/full/nair-cos-director-talks-about-international-data-privacy-regulations 1/3

( Sign In/Register for Account | Help ) United States Communities I am a... I want to...

Profit Magazine

Features

Opinion

Multimedia

Partner News

Oracle Magazine Archives

Profit Magazine Archives

Subscribe

Write the Editors

Submit an Article

Advertise

For More Information

Oracle Governance, Risk, andCompliance Solutions

Oracle Master Data ManagementSolutions

Gaining Customer Consent

Close

About Profit Magazine Features

Data Without BordersWith employees and customers in multiple countries, ITmanagers must answer to a web of privacy laws to keepinternational data legal.by Minda Zetlin, February 2012

A company that provides online wellness services landed a contract with a major company with offices

in Spain, Germany, and France. It was the kind of sale every executive dreams of. But it came with

some very big headaches, too. “Now they’ve got this problem where they have to abide by the privacy

regulations in each of these three countries and register with the regulators there,” says Stuart Buglass,

director of human capital consulting at Nair & Co., which advises companies on international expansion.

The wellness company had walked right into one of the most challenging aspects of international

business today: data and privacy laws across international borders.

The challenges are considerable. Throughout the

world, an evolving mosaic of privacy laws dictate

how data must be handled. At issue is personally

identifiable information (PII) that can be traced to

an individual person (such as name, address, ID

number, and job title). Most experts agree that the

most-stringent data protection laws are found in

the European Union (EU), where the Data Privacy

Directive governs all PII use. In general, a

company able to deal effectively with the

provisions of the EU directive will l ikely be able to

handle privacy laws in other jurisdictions as well.

Although the provisions of the Data Privacy

Directive hold across the EU, anyone collecting

data on European residents must follow the lawsof an individual’s country of residency as well—and those laws differ among EU member states. It might

seem logical to find the strictest EU privacy laws and comply with those, but the laws are different

enough to make that approach impractical.

“You can’t have a broad sweep of standards that will satisfy all the different types of legislation,”

Buglass says. “You have to actually identify where the data subjects are and which specific legislation

applies to them.”

Complex Relations

One of the EU’s eight “enforceable principles” for privacy protection is that data must not be transferred

to countries without adequate legal protection. But that raises the question of what constitutes a data

transfer. From a privacy and security standpoint, it makes little difference whether an employee’s name

is sent through a network and stored on a server in, say, Russia, or whether a hacker from Russia goes

through that same network to view the data while it resides on a server in France. And indeed, the EU

defines access to data as a form of transfer, for privacy purposes.

While many experts recommend leaving European data in Europe, that st rategy is not sufficient to

ensure compliance with the law. And it can create unexpected challenges for Americans accustomed to

different privacy rules. “Something as innocuous as a personnel directory that can be accessed by

company staff outside of Europe can create a problem,” notes Lisa Sotto, head of the privacy and

information management practice at Hunton & Williams, a law firm with expertise in intellectual property

and international business.

To make matters worse, international laws may conflict with each other, especially when it comes to

keeping data. In general, European laws require companies to destroy PII as soon as its utility has

expired. But in the United States, laws may dictate a different retention period. “If you’ve got a U.S.-

based company dealing with data from another country, there may be a conflict,” says Jimma Elliott-

Stevens, director of risk assurance services at PwC, a global professional services firm.

Meanwhile, the list of nations with strict laws governing the use of PII is growing. In 2011, Costa Rica

became the seventh Latin American country to regulate this data. India’s data privacy laws, amended in

2008, are strong enough to draw criticism from U.S. multinationals.

But for nations outside the EU, stricter data privacy laws can be good for business. The European

Commission has recognized a handful of countries with adequate data privacy protections—among

Products and Services Solutions Downloads Store Support Training Partners About Oracle Technology Network

Secure Search

Page 1 of 3Data Without Borders

2/3/2012http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html



E-mail this page Printer View

.

offer similar protections to the EU directive.

“It’s interesting to note that a lot of countries coming up with robust sets of legislation are those where

there’s a lot of offshoring,” Buglass notes. “India’s privacy law is probably even more robust than that in

the EU. It isn’t yet a trusted third country, but if India’s government can prove it can actually enforce

these rules, it may be soon.”

However, the chance of the U.S. gaining the status of a trusted third country are virtually nil. The

American approach is to have different regulations apply in different industries (for instance, the

healthcare industry is subject to the Health Insurance Portability and Accountability Act, more commonly

known as HIPAA) and different states.

“I think the U.S. would have to crumble and be rebuilt to change its entire sectoral approach to

regulations,” Elliott-Stevens says. “The U.S. cares about data privacy, and we do have strict laws and

regulatory bodies in place. But the way we deal with it is to find commonalities and start there. We

negotiate and leverage relationships.”

Crossing Borders

So what are the options for U.S. companies with employees in countries with stricter privacy laws? One

way is to keep all personal data within the country or jurisdiction where it is obtained and prevent any

access from outside. Another would be to find a way to certify that data transferred outside the

urisdiction will adhere to local legal strictures. (See “Gaining Customer Consent.”)

The first of these options may be the right choice for many multinational companies. Privacy laws do not

prevent managers from accessing sales and performance data f rom outside a territory, as l ong as IT

ensures that PII, such as a customer phone number or employee attendance history, isn’t involved.

“Maintaining local management of data is the perfect solution,” Buglass says. “If you haven’t got the

luxury of doing that, try to limit the data transfers to certain countries. The risk, obviously, is when you

can’t keep track of the data—for instance, if you have a cloud server that jumps from country to country

to take advantage of available storage.” Some companies are coping with this by setting up EU-only

clouds, he adds.

For managers who do need to transfer PII among jurisdictions, there are legal frameworks that make

this possible. One is the Safe Harbor arrangement, in which U.S. companies certify that they will abide,for example, by the EU directive when handling PII from an EU country. However, since the EU is

counting on the U.S. Federal Trade Commission (FTC) to enforce the Safe Harbor provisions, this

option is only available to companies regulated by the FTC. Safe Harbor has been in place for more

than a decade, and so far roughly 2,000 U.S. companies have signed on.

A second, more difficult option is Binding Corporate Rules, a legal framework in which companies certify

that they have put in place corporate rules protecting the privacy of PII. Though created as an

alternative to Safe Harbor and model contracts (see below), Binding Corporate Rules is a difficult

choice, Sotto says, because it requires getting specific approval for your rules from some individual

countries. While many EU countries’ data protection authorities will recognize the blessing of another

country’s authority, some EU countries will not. “It’s very hard to implement,” she says.

A third solution is to use the model contracts provision of the EU privacy directive. In this case, a

contract between European and non-European entities requires the non-European entity to protect the

privacy of personal data, Sotto says. Since the European subsidiary of a multinational company is

nearly always created as a separate legal entity, the two can sign a binding contract that fulfills the data

transfer requirements of the EU privacy directive.

“For these solutions, you need to understand the relevant data flows within your company,” Sotto says.

“What you’re collecting, the use to which you’re putting the data, and who will have access to it. Andultimately, how and when you will dispose of it.”

The Role of IT

Inevitably, compliance with global data privacy laws falls to IT—but industry best practices can help.

Know your data. Having a precise understanding of the data you have is an essential first step,

according to Carolyn Holcomb, partner, risk assurance services, at PwC. “Think about every data

element that could be used to identify an individual,” she says. “If you put them all together, there are

somewhere in the neighborhood of 60 different elements that are common across the different privacy

laws. Make a list of all those data points, and then do a data inventory. Find out exactly where the data

resides and what countries it comes from.”

Don’t take what you don’t need. “Another practical solution is not to collect the data,” Holcomb says.

Of course every company collects some PII from customers and employees. But many have the

mindset that the more data they can collect—especially from customers—the better. While that data can

be useful for market research, it will make following international data laws much harder.

Consider privacy when planning cloud implementations. Buglass notes that cloud providers often

move data around among different hosting companies. To address this problem, some are providing EU

-only cloud solutions. But that’s not the only option, he says. “If it’s a U.S.-based cloud company, it

should be a Safe Harbor adherent, and it should certify that the data won’t go beyond U.S. shores. Yet

another option is to bind the cloud vendor with a contract that requires it to treat PII in accordance with

the EU directive. But remember that the company that first accepted the data is still legally responsible

for what happens to it if the vendor fails to abide by the contract.”

Manage international data in a GRC plan. “The same risk tools that help you from being fined for

regulatory violations can also help you with the bottom line for reasons unrelated to compliance,” notes

Sid Sinha, senior director of governance, risk, and compliance (GRC) product management at Oracle.

The same solutions used for compliance with important regulations can also eliminate process errors

like finding incorrect or duplicate payments.

Oracle GRC applications aid compliance with international privacy laws, as well as U.S., local, and

industry regulations and audit requirements. A great time to think about GRC is at the start of a major

deployment or upgrade, Sinha adds. “If you’re implementing a new system and defining business

processes, that is an ideal opportunity not only to minimize the l ong-term cost of compliance but to


2/3/2012http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html



Subscribe About Oracle Careers Contact Us Site Maps Legal Notices Terms of Use Your Privacy Rights

.

that they wish they had started sooner and incorporated GRC before they rolled their new system out.”

Indeed, tackling international privacy laws in the context of an enterprise resource planning (ERP)

system will make the process as painless as possible, says Michael Baccala, partner, risk assurance

services, at PwC. “When I think about using technology to deal with these challenges, an ERP solution

such as Oracle’s is much better than trying to do it with a legacy or homegrown system,” Baccala says.

“Clients with older or unique systems struggle more, as [those systems] are typically not as well

integrated with each other. With an ERP solution such as Oracle’s, you have more-consistent controls

and more-global enforcement. And once you understand the legally required process, the technology is

there to support it.”

Minda Zetlin is coauthor of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006).

Oracle Mobile


2/3/2012http://www oracle com/us/corporate/profit/features/010312-data-1447091 html

Documents

Nair & Co.'s Director talks about international data privacy regulations in Profit Magazine's 'Data without Borders