|Sign-Up for Free Exclusive Services:||Portals|||||eNewsletters|||||Web Seminars|||||dataWarehouse.com|||||DM Review Magazine|
|Covering Business Intelligence, Integration & Analytics||Advanced Search|
Jonathan would like to thank Faisal Malik, principal with Knightsbridge Solutions, for contributing this month's column.
A significant data movement is taking place, one you probably haven't heard much about it. It's a quiet movement, overshadowed by security concerns, Sarbanes-Oxley buzz and other consumer compliance issues and is mired in underlying geopolitical complexities between countries and cultures attempting to reach a consensus on a single issue: how to handle the protection of personal and consumer data originating from European operations when processed by U.S. companies - regardless of their location. As understated the issue may seem, thousands of U.S. companies are probably working in some capacity to assess and revise their policies on transporting and processing of European personal data in light of the European Union Data Protection Directive.
On October 25, 1998, the European Union (EU) Directive on data privacy went into effect. This Data Privacy Directive makes it illegal to transport EU personal data across EU and non-EU country borders without an adequate level of data protection in place. The EU Data Privacy Directive is governed with a comprehensive legislation, which has been adopted by all the EU member countries. Non-compliance with the directive can result in various types of penalties, fines, civil suits and data embargos. However, the intent of this legislation is to facilitate the free flow of data between all members and non-members of the EU countries.
To safeguard the movement of personal data for U.S. companies working in EU countries, the U.S. Department of Commerce (DoC) has developed a self-certifying process through which companies can self-certify their adherence to data privacy principles known as the Safe Harbor framework. The Department of Commerce recognizes that the framework does not have comprehensive legislative support yet, but the voluntary certification model allows U.S. companies to import personal data without prior authorization from the EU national data protection agencies.
Under Safe Harbor, U.S. companies are responsible for implementing comprehensive data protection program and policies. Adherence to this framework does not by any means relieve U.S. companies from the possibility of a European filing a criminal and civil complaint with their local authorities against a U.S. company because they feel their personal information has been compromised. Furthermore, the EU national data protection agencies will maintain rights to access the compliance of the implemented program.
Although there is much debate on the effectiveness of Safe Harbor process at present time, this is a good starting point for all organizations that are involved in conducting business in the EU countries, especially for companies that receive human resource, financial and marketing data from their EU operations. That's no small number of companies.
The enactment of European Data Protection Laws has severely impacted the way U.S. companies conduct business in Europe and, to some extent, globally. Currently, at least 25 countries are united under the EU umbrella. Observation of the European Union's track record reveals they are forcing many U.S. companies to rethink how they conduct business overseas. So far, no major cases have been filed under the EU Data Protection Directive - but this does not mean there is zero risk of a civil or criminal law suit in the European courts, or some sort of embargo that will prevent the shipment of personal data out of EU countries. This is why more than 700 U.S. companies have taken steps to comply with the Safe Harbor Principal. A complete list of U.S. companies complying with the Safe Harbor Program can be found at www.export.gov/safeharbor, which is maintained by the U.S. Department of Commerce.
The EU Data Privacy Directive remains a controversial requirement for the U.S. As such, the Safe Harbor framework - the U.S. resolution for compliance - will continue to evolve. A study completed in April 2004 at the request of European Commission sites various areas of the Safe Harbor Program that need further enhancement and clarification, such as:
It will be prudent for the U.S. companies that have adopted Safe Harbor framework, or are considering it, to stay abreast of the working council's position on Safe Harbor framework and their plan on enhancing the current data protection policies.
All U.S. companies interested in consolidating their IT operations, importing data from EU operations or processing data in third countries should have a comprehensive privacy program in place. (An example of a third country could be a U.S.-based company processing European personal data in an Indian processing center). Third countries involved in data processing should either have privacy programs in place, or have contracts to cover data processing in light of the EU Data Protection Directive.
This is especially critical if data is personal in nature and originates from any of the 25 EU countries. U.S. companies should start by appointing a "C" level data privacy officer with the overall responsibility for the data security and privacy initiatives. This corporate data security office should have some form of presence in the EU countries where the personal data in originating.
The Corporate Data Privacy Office (including the staff in EU countries) should work closely with the information technology director(s) and their staff to develop a comprehensive set of data security and privacy policies. The Data Privacy and Information Technology Offices should start by adopting the Safe Harbor Certification, which can be achieved by either working with the in-house resources, if they exist, or by engaging the consulting companies with expertise in the EU Data Privacy initiatives.
The Corporate Data Privacy Office and the Information Technology Office should not only develop in-depth understanding of Safe Harbor certification process but also develop expertise in the EU Data Privacy Directive and its intent. It will also help to understand the inner workings of the EU working councils on data privacy, and the working arrangement between the DoC and EU Data Protection Authority.
Some tips to get started:
The privacy concern is no longer just a European issue. It is creeping into the U.S. mainstream economy by various routes. HIPPA, the "Do No Call List" and Safe Harbor are a few initiatives that have spurred an increasing awareness about the privacy and safety of personal and consumer data. We can foresee more emphasis on privacy and security due to increasing globalization of our economies given mergers, acquisition and the desire to leverage cost effective human capital around the globe.
Faisal Malik is a principal with Knightsbridge Solutions. He has 13 years of experience in the consulting and IT areas, and has worked as a solutions architect and project manager during his career in the IT Industry. Malik has successfully led various large-scale, multidiscipline, global, data warehousing projects. He has developed and delivered strategic solution for the Fortune 100 companies to optimize various back office business functions. He can be reached at firstname.lastname@example.org.
Jonathan Wu is a senior principal with Knightsbridge Solutions. He has extensive experience designing, developing and implementing information solutions for reporting, analysis and decision-making purposes. Serving Fortune 500 organizations, Knightsbridge delivers actionable and measurable business results that inform decision making, optimize IT efficiency and improve business performance. Focusing exclusively on the information management disciplines of data warehousing, data integration, information quality and business intelligence, Knightsbridge delivers practical solutions that reduce time, reduce cost and reduce risk. Wu may be reached at email@example.com.
|E-Mail This Column|