In a previous post I gave an overview of the impact of the new Schrems II ruling, by the Court of Justice of the European Union. What makes Schrems II so important for organizations mainly boils down to growing use of cloud services. With Schrems II as a European company you are required to conduct individual assessments for each data transfer to a non-EU country.
It is worth mentioning that Schrems II not only will have a major impact on European organizations. It also jeopardizes many of the major US IT providers. Therefore, several cloud providers are now trying to give assurance, that they will protect customers’ data by improving the technical protections, storing data in the EU and take to court any request from authorities for accessing customer data. However, when reviewing their transparency reports, they paint a somewhat different picture, where the authorities still gain access to customer accounts. This is something to bear in mind, because regardless of what your cloud provider tells you, you and your organization have to take responsibility for assessing that adequate protection and safeties are in place.
Today, I work with several organizations to support them in how to handle the implications of Schrems II strategically and practically, and how to make the necessary assessments and protections.
- Start with identifying all Non-EU suppliers and sub-suppliers.
- Evaluate data protection laws of the countries of your Non-EU suppliers. Also include access from Intelligence agencies, like US FISA 702.
- Make risk assessments on all of your transfers.
- Review risks and evaluate effective measures to make a plan of all necessary mitigations.
- Implement additional safeguards/measures and/or make the needed changes for the affected solutions/suppliers.
- Try to involve the local data protection authorities for validation of the changes and safeguards you are implementing.
- Establish ongoing re-evaluation of the measures with regularity with appropriate intervals. Follow the court cases on data protection and adapt changes when appropriate.
- Make sure to document all your evaluations and decisions.
If you still are hesitant that you manage to put the necessary measures in place for your cloud services, you can review creating a hybrid cloud environment, where you utilize the public cloud for anything not relating to personal data, and the rest is handled in a private cloud in a local data center where you can obtain many of the same benefits as in the public cloud.
At CGI we are provider agnostic and are happy to help with assessments, hybrid cloud solutions or hosting all of your sensitive data locally. Read more here.