However, SCCs and BCRs aren’t as easy to use as Privacy Shield. U.S. organizations that transfer data
            from the EU must now conduct analysis to determine if they can meet the legal requirements to protect
            data from U.S. surveillance. This is in direct conflict with the ECJ’s Privacy Shield ruling, which found
            U.S. federal intelligence and surveillance agencies, as well as U.S. laws, currently make this difficult.


            In addition, organizations using SCCs or BCRs need to legally guarantee “U.S. law does not impinge on
            the  adequate  level  of  protection”  for  transferred  data.  If  this  legal  standard  cannot  be  met,  then  an
            organization’s data transfers from the EU must be immediately suspended.

            The European Data Protection Board (EDPB) also posted a FAQ regarding this Privacy Shield ruling.
            Per this FAQ, GDPR Article 49 derogations may also be means for completing certain data transfers.

            Ultimately, organizations that previously used Privacy Shield need to reevaluate if their data transfer
            processes meet GDPR standards. Although this is no small task, the following steps are essential:



            Locate Personally Identifiable Information

            Organizations need to know what personally identifiable information (PII) they’re storing, and where it’s
            located. Due to improperly provisioned access, it’s possible that users have moved PII data to unexpected
            locations.



            Remediate Stale Personally Identifiable Information

            Once personal information is no longer needed for regulatory or business purposes, it should either be
            securely archived our deleted outright.



            Audit and Control Access to Personally Identifiable Information

            Overprovisioned and improperly granted access raises as organization’s risk for a data breach. Users
            should only have access to the data required to perform their daily tasks, and admins should only have
            elevated privilege when needed.



            Be Able to Respond to Consumer Data Subject Access Rights (DSAR) Requests

            Organizations must be able to quickly respond to consumer DSAR requests. This involves gathering all
            PII related to a data subject, providing that information to them, and potentially deleting that information.










            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         112
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.