Navigating US-EMEA Data Privacy Rules
By Kevin Petrie, Technology Evangelist at Attunity.
US and European Union regulators are wrestling with mountains of red tape as they hammer out a data “Privacy Shield” agreement reached this month to preserve $260 billion of transatlantic trade in digital services.
The question, re-opened in October when the European Court of Justice nullified the 15-year old “Safe Harbor” agreement: how best EU citizens can monitor and challenge usage of their personal data. To answer this, the US government has committed to a new State Department ombudsman, aggressive policing by the Federal Trade Commission and a massive new compliance database at the Department of Commerce.
Things will get even trickier for the private sector on both sides of the pond. Companies need to transparently sort and monitor usage of EU customer records, demonstrating that only authorized actions are taken on information that comes to the US – without prohibitive cost.
The corporate legal responsibilities alone are daunting. The Privacy Shield empowers individuals in the EU to request usage reports and take disputes to arbitration proceedings. This also brings new complexity to global IT departments that already struggle to integrate growing volumes of increasingly varied customer data.
Domino’s Pizza, which serves all continents, was one of many enterprises discussing the persistent challenges of parsing, correcting and matching customer profiles at a Gartner “master data management” conference in Dallas last week. The winner, said Dan Djuric, Vice President of Enterprise Information Services during his session, is “whoever unlocks the reams of data and uses it strategically.”
The first steps for IT boil down to dividing individuals’ data and monitoring how it is used. Here are descriptions of these challenges and best practices to address them.
- Cleanly separate US and European data. Vendors must answer distinct compliance questions when it comes to EU customers, which means those records are best kept in distinct logical or even physical server resources. For example, some European vendors are moving their databases to EU-based hosting providers. Many enterprises will need to be able to copy select tables or columns across or between databases, data warehouses or potentially Hadoop, on premise or in the Cloud. This might include copying tables to US servers to satisfy US regulatory/surveillance inquiries, while removing the rows for all European customers.
Enterprises will need more granular control in some cases, defining copy data by physical address, company/BU code, sales organization or other criteria. Some will need to protect sensitive data at export with extensive transformation rules, and compare or synchronize objects between environments.
- Track data usage. With finer regulatory points still to be defined, and the risk of myriad individual arbitration proceedings, vendors need to create robust, detailed and flexible usage monitoring processes to address whatever comes their way. This means identifying which business users are touching which tables, columns and customer-specific rows, on which dates, and what actions they are performing. In addition to this level of detail, some enterprises will need to know the associated BI reports or applications, and identify changes in activity patterns between two time periods.
Digital commerce in the EU will change shape in coming years, and the contours have not yet come into focus. Global enterprises serving these markets need to erect the right fences and security cameras to be ready.