This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Organizations sending data abroad must be prepared to comply with a slew of privacy and security regulations.
U.S. companies doing business overseas face a quagmire of global regulations for keeping data private and secure. Take Verispan, a provider of health care information and services to the pharmaceutical industry. Gathering information on physicians around the world can be a time-consuming and cumbersome process due to regulatory requirements, says Scot Ganow, Verispan's corporate privacy and ethics officer.
Not only does the company need to follow European Union privacy rules, which include providing clear notice to and obtaining verifiable consent from the physicians, but it must research and comply with any specific requirements of individual EU member countries. Even with consent, Verispan uses either EU-approved model contract clauses or Safe Harbor self-certification as extra compliance protection when transferring European personally identifiable data to the U.S.
"It's very layered, very involved," Ganow says of the compliance process.
As the number of online users has skyrocketed worldwide, governments have enacted a maze of inconsistent privacy and security laws. This fractured, highly complex global legal framework is creating regulatory headaches for businesses. Laws restricting cross-border data flows and those requiring security breach notification are the most problematic and impose
The complexities and inconsistencies associated with global privacy and security laws are forcing multinational companies to approach these issues in a multidisciplinary manner, blending legal, technical, operational and managerial considerations.
This was first published in February 2007