Not sure what the collapse of Safe Harbor means? Read our previous blogpost.
What should I be worried about?
Complying with laws and the trust of your customers. The European Court of Justice has revoked the Safe Harbor –agreement, which enabled transferring personal data outside the European Union. Safe Harbor collapsed, because it hasn’t guaranteed real protection for personal data and, authorized by their legislation, the United States’ authorities get their hands on the data.
It is likely, that also the “emergency aid”, the model contract clauses, will fall down for the same reason: they don’t guarantee real protection for personal data. The personal data laws require organizations to ensure that the data is not transferred outside the EU without permission. The obligation of the law is binding and the organization cannot shift the responsibility to a third party or appeal to ignorance.
Also the trust of customers must be earned. Personal data laws are made for protecting the privacy of individuals. Simply complying with the law is not enough, the company must also be able to show customers that their information is exemplarily taken care of. Banks have known the value of trust already for long and take care of data security and their reputation accordingly. A few forerunners such as F-Secure are already creating new business by ensuring data security.
Am I already in trouble?
It’s possible that your organization breaks the personal data law, if you use international cloud services to process customer information and other personal data. For example Salesforce, Microsoft CRM Online and Zoho CRM services operate based on the repealed Safe Harbor –arrangement. Out of these three, at least Microsoft CRM is seeking temporary safety in model contract clauses. Also the email marketing and marketing automation solution providers such as MailChimp, Hubspot and Marketo have relied on the Safe Harbor –procedures. Very few cloud service providers can thoroughly disclose where personal data is stored and how data is transferred in different stages of the process (for example the repositories for backups and customer support logs).
What should I do?
Four steps, with which you can ensure that your organization meets the requirements of the personal data protection law in processing customer information:
1. List all services, where you process customer and personal data
Determine all services that are used in your organization for processing customer and personal data. Find out where the data physically ends up in from each of the services.
2. If you don’t know where data is transferred, ask your service provider for clarification. Ask your subcontractors for the same statement.
If the service provider does not openly disclose the location of their servers on their website, ask the supplier to make a clarification on the matter. You can send for example the following type of clarification:
The European Court of Justice has invalidated the Safe Harbor –agreement with the United States. We kindly ask you to inform, whether you have handed over information regarding our organization based on the Safe Harbor –agreement.
This clarification concerns also mirroring data, processing data logs, files sent to suppliers in problem situations, maintenance operations, emails and other information that you use in your own systems to provide the service.
Your statement should also cover your subcontractors that are related to the services provided to our organization.
Notice that your organization is responsible for compliance with the personal data laws, even if the personal data is processed by your subcontractor. Therefore, send the same clarification letter also to your subcontractors.
3. Correct your organizations operations to legal
Find alternative services in case your current service provider is unable to operate according to the personal data laws. Especially in cloud services the switch may be easier than you think. The safest and most sustainable solution is choosing a European service provider whose servers are located within the European Economic Area. This way you won’t have to worry about future decisions by the European Court for example relating to the model contract clauses.
4. Remember to tell your customers about good data security
When your personal data processing is in order, tell your customers about it, too. At least update your privacy policies up on your website. Undoubtedly your customers won’t be offended if you remind them once in a while that your organization takes data security seriously and that their information is safe with you.
Vineyard’s servers are located in Finland and the data saved in Vine will always and in all situations remain in Finland and thus within the European Union.
Read more about the data security of Vine CRM: