There have been a number of articles about the impact of the EU’s implementation of the GDPR on how US companies do business with the EU member countries. In this blog post we will focus on the issue of data protection.
Scheduled to take effect in May 2018, the GDPR covers four areas:
•Assessing and documenting data structure
•Storing and handling personal data in a secure manner
•Data protection conformity of company processes
•GDPR compliance of third-party software
One of these appropriate technical and organizational measures (TOM’s) is encryption. The absolute need to implement such TOM’s should be enough reason to set up state of the art encryption for client data. However, there is a second important reason: companies that do have proper encryption in place, do NOT have to notify their users in case of a data breach, because the data is protected accordingly.
The particular paragraph reads:
“The communication to the data subject referred to in paragraph 1 shall not be required if […] the controller has implemented appropriate technical and organizational protection measures […] such as encryption. (GDPR, p 53)”
TOM’s have to be measures:
“…that render the personal data unintelligible to any person who is not authorized to access it (GDPR, p 53).”
The US Government is developing a number of protocols based on, amongst others, the work of the National Institute of Standards and Technology (NIST) as summarized in their Cyber Security Framework.
While everybody is talking about Trump’s plans to build a wall at the border to Mexico, he signed an Executive Order that could have severe consequences for Europe and European businesses. One section of the, “Executive Order on Enhancing Public Safety“ concerns the privacy rights of US citizens and non-US-citizens in the US:
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” (source: whitehouse.gov)
We at Diogenes believe that the trust established with our clients includes the understanding that their information will be safe and secure. As such, we will be engaging a new security provider in 2018, Boxcryptor. Boxcryptor is certified to be GDPR compliant, meaning that all client information regardless of country of origin will be secure. We will, of course, comply with any US laws when required.
Many thanks to Boxcryptor for their extensive resources we quoted from their blog.