The EU General Data Protection Regulation (GDPR) negotiations drag on (and on, and on)…
About a month ago I blogged about the last round of GDPR ‘trilogue’ negotiations, which were said by Jan Philipp Albrecht, MEP, to have “reached a satisfying agreement for all sides” on the Regulation’s territorial scope and rules pertaining to international data transfers. One area on which no agreement was reached, however, was Article 43a (aka the anti-FISA clause), which was proposed by the European Parliament following Edward Snowden’s revelations.
In its current state, Article 43a says:
“No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.”
That is to say, EU companies shouldn’t have to comply with requests from non-EU countries for Europeans’ personal data. (The ‘anti-FISA’ nickname refers to the US Foreign Intelligence Surveillance Act, which sets out procedures for the collection of “foreign intelligence information”.)
Now, Article 43a has attracted the attention of the European Data Coalition – a group of 20 European companies including Ericsson, Nokia, Scania and Volvo. The coalition is concerned that international organisations operating in multiple territories could find themselves bound by contradictory laws.
In a letter to legislators, the group said that the proposed Article 43a was “problematic” because, by “unilaterally assuming universal jurisdiction, the Regulation would put European companies in an unsolvable dilemma, and would be in conflict with the concept of interoperability that, while recognizing different privacy concepts, is necessary in international data flows.”
The best-practice solution to GDPR compliance
The coalition won’t have to wait long to see if its concerns are addressed: the next round of GDPR trilogue meetings is due to take place this month. It’s currently anticipated that the Regulation will be formally ratified by the end of the year.
EU organisations that want to meet the requirements of the GDPR and fulfil their information security obligations are advised to act sooner rather than later. Implementing an information security management system (ISMS), as described in the international best-practice standard ISO 27001, is the sensible route to compliance.
An ISO 27001-compliant ISMS provides a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts – as well as allowing you to meet legal and regulatory obligations.
Implementing ISO 27001 with Live Online training courses
IT Governance’s Live Online ISO 27001 training courses are based on our successful classroom courses, bringing unique, interactive tuition from ISO 27001 experts to the comfort of your home or office, with none of the costs traditionally associated with classroom learning such as travel and accommodation. Each course includes an exam accredited by IBITGQ, giving you the opportunity to gain globally accepted qualifications.
Created by leading ISO 27001 experts Alan Calder and Steve Watkins, the ISO27001 Certified ISMS Foundation Live Online Training Course introduces the benefits of ISO 27001 certification and outlines the key elements of an information security management system (ISMS). Click for more details >>
Using a combination of formal training, practical exercises and relevant case studies, this unique training programme – the most comprehensive ISO 27001 Lead Implementer course available – enables professionals anywhere in the world to develop the skills required to achieve ISO 27001 compliance for their organisation. Click for more details >>
Using their extensive professional experience of the Standard and a combination of formal training, practical exercises and relevant case studies, our expert tutors will outline the theory and practice of an effective ISO 27001 audit, preparing you for the included IBITGQ Certified ISMS Lead Auditor (CIS LA) examination in four-and-a-half days. Click for more details >>