Post on 01-Jan-2020
transcript
1
Data LocalizationData LocalizationData LocalizationData Localization
Society of Corporate Compliance & Ethics
Compliance & Ethics Institute 2016
Presenter: Web Hull
Data Localization - Web.Hull@icloud.com 1
Data LocalizationData LocalizationData LocalizationData Localization
It’s All about Protecting the “Crown Jewels”
(However Defined &
By Whomever Defined)
Data Localization - Web.Hull@icloud.com 2
2
What are these devices?What are these devices?What are these devices?What are these devices?
Data Localization - Web.Hull@icloud.com 3
What Are These Places?What Are These Places?What Are These Places?What Are These Places?
Data Localization - Web.Hull@icloud.com 4
3
Who Are These Men?Who Are These Men?Who Are These Men?Who Are These Men?
Data Localization - Web.Hull@icloud.com 5
What Did They Do?What Did They Do?What Did They Do?What Did They Do?
�There Go the Crown Jewels1. They Memorized (Stole) the Plans of
Machinery that was Prohibited for Export from England
2. One Immigrated to the Colonies – Rhode Island
3. The Other Returned Home to the US -Massachusetts
4. They Established the Textile Industry in the US
Data Localization - Web.Hull@icloud.com 6
4
What is Data Localization?What is Data Localization?What is Data Localization?What is Data Localization?
1) A requirement (however created) to store, route, process, or otherwise use data only within apolitically defined area
2) A requirement (however created) to retain data within a politically defined area
3) A requirement (however created) to not store, route, process, or otherwise send or allow access to data
• In a Politically Defined Area
• By a Defined Entity or Person
Data Localization - Web.Hull@icloud.com 7
Some Examples of Data LocalizationSome Examples of Data LocalizationSome Examples of Data LocalizationSome Examples of Data Localization
• Regional� EU
• Country� Russia
• State / Province� Ohio
� B.C. Bill 73
• Sector� US Financial
� US Health Care
• Other� ITAR
� Export Controls
� OFAC
Data Localization - Web.Hull@icloud.com 8
5
Why Do Political Entities Create Data Why Do Political Entities Create Data Why Do Political Entities Create Data Why Do Political Entities Create Data
Localization Restrictions?Localization Restrictions?Localization Restrictions?Localization Restrictions?
• Economic Advantage
• Protectionism /
Isolationism
• Jobs
• Anti-Globalization
• Political Control
• National Security
• Cultural
• Others?
Data Localization - Web.Hull@icloud.com 9
Why Do Companies Create Data Localization Why Do Companies Create Data Localization Why Do Companies Create Data Localization Why Do Companies Create Data Localization
Restrictions?Restrictions?Restrictions?Restrictions?
• High Level of Protection
• Ease of Management
• Marketing
• Customer Requests / Preferences
• Reach of Law
• Required by Law / Regulation
• Others
Data Localization - Web.Hull@icloud.com 10
6
Is There Only One Kind of Data Localization?Is There Only One Kind of Data Localization?Is There Only One Kind of Data Localization?Is There Only One Kind of Data Localization?
• Laws, Regulations, Guidance, Treaties
• Customer Requirements
• Customer Preferences
• Company Preferences
• Others?
Data Localization - Web.Hull@icloud.com 11
Countries With Some Data Localization Countries With Some Data Localization Countries With Some Data Localization Countries With Some Data Localization
RequirementsRequirementsRequirementsRequirements
Data Localization - Web.Hull@icloud.com 12
�Argentina
�Australia
�Belarus
�Brazil
�Canada
�China
�Colombia
�EU
�France
�Germany
�India
�Indonesia
�Kazakhstan
�Malaysia
�New Zealand
�Nigeria
�Peru
�Russia
�South Korea
�Taiwan
� Turkey
� Uruguay
�United States
�Venezuela
�Vietnam
7
Strong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & Regulations
• Russia - 242-FZ law - September 1, 2015
• Requires “personal data operators” to
�Collect, store, and process any data about Russian users in databases inside Russia
�Inform Regulators of the location of their data centers
• Gives Regulators
�Enhanced access to information and
�Power to impose harsh penalties for non-compliance
Data Localization - Web.Hull@icloud.com 13
Strong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & Regulations
• Indonesia
• “Electronic System Operator for the public service
� Is obligated to put the data center and disaster
recovery center in Indonesian territory
� For the purpose of
o law enforcement,
o protection, and
o enforcement of national sovereignty to the data of its citizens.”
Data Localization - Web.Hull@icloud.com 14
8
Strong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & RegulationsStrong Localization Laws & Regulations
• U.S. International Traffic in Arms Regulations (“ITAR”)
• ITAR “Arms” are� Identified on the United States Munitions List (“USML”).
� Dual Use
• Export Restrictions� Sending or taking any ITAR items or information out of the
US.
� Transferring ITAR items or information within the US to anyone not a U.S. citizen or lawful permanent resident
Data Localization - Web.Hull@icloud.com 15
Moderate Moderate Moderate Moderate Localization Laws & RegulationsLocalization Laws & RegulationsLocalization Laws & RegulationsLocalization Laws & Regulations
• Canada - Local Restrictions• Bill 73 - British Columbia 1996 Freedom of Information and
Protection of Privacy
�“A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada.”
• Nova Scotia - 24 Bill No. 19 — the Nova Scotia Personal Information International Disclosure Protection Act, 2006
�“Public bodies ensure that personal information in its custody or under its control … is stored only in Canada and accessed only in Canada.”
Data Localization - Web.Hull@icloud.com 16
9
What Are What Are What Are What Are the First the First the First the First Things Things Things Things To Do?To Do?To Do?To Do?
• Identify Who in Your Organization
• Should Identify the Restrictions?
• “Owns the Data”?
Data Localization - Web.Hull@icloud.com 17
It’s a Complex Compliance ChallengeIt’s a Complex Compliance ChallengeIt’s a Complex Compliance ChallengeIt’s a Complex Compliance Challenge
• Identify Your
• Own Configuration – e.g. Outlook Exchange Servers, Data Centers, …
• Cloud Providers – Including SAAS
• Vendors
• Vendors’ Subcontractors
• And So On
Data Localization - Web.Hull@icloud.com 18
10
WhatWhatWhatWhat Are the First Things To Do?Are the First Things To Do?Are the First Things To Do?Are the First Things To Do?
• Map & Document The Data Flows!
• If You Don’t Know What Kind of Data You Have, Which Borders It Crosses, & Who Receives It, You Can’t Determine the Restrictions
• Have a Set of Tools
1. Data Mapping
2. GRC
3. …
Data Localization - Web.Hull@icloud.com 19
WhatWhatWhatWhat Are Are Are Are the First the First the First the First Things Things Things Things To Do?To Do?To Do?To Do?
• Start with Customer’s Data
• What Kind of Data?
• Collected Where?
• Follow the Data to Its Final Destination
• Update Data Map Regularly
Data Localization - Web.Hull@icloud.com 20
11
There Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of One
• Figuring Out How to be in Compliance is a Team Sport
• Company Members Both In-Country & at the HQ
• Outside Experts
• Global, In-Country, at the HQ
• Both Subject Matter Experts & Local Country Experts
Data Localization - Web.Hull@icloud.com 21
There Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of OneThere Is No Such Thing As an Army of One
• Who should be on the team? Both in Country & at HQ
� Subject Matter Experts – 1
for Each Requirement
� Compliance
� Privacy
� Legal – Contracts / Other
� Marketing
� IT
� HR
� Background
Investigations
� Business Units
� Data Owners
� Someone to Do the
Mapping
� Project Support
� Others?
Data Localization - Web.Hull@icloud.com 22
12
Some Common WorkSome Common WorkSome Common WorkSome Common Work----AroundsAroundsAroundsArounds
• Consents
• Enabling Regulations - e.g. Privacy Shield, Model Contracts
• Waivers
• Data Center Locations
• Get Creative – But Be Compliant
• Others?
• Sometimes There Aren’t Any at All!
Data Localization - Web.Hull@icloud.com 23
There Might Be “A Light at the End of the There Might Be “A Light at the End of the There Might Be “A Light at the End of the There Might Be “A Light at the End of the
TunnelTunnelTunnelTunnel””””
• Trans Pacific Partnership Article 14.13• “No Party shall require a covered person to use or locate
computing facilities in that Party’s territory as a condition for conducting business in that territory.”
• Exceptions• Government services are excluded – BC Bill 73 & Nova Scotia -
24 Bill No. 19
• Financial Services are excluded
• Or is the “Light” Just a Train from New Jersey?
Data Localization - Web.Hull@icloud.com 24
13
Some Final ThoughtsSome Final ThoughtsSome Final ThoughtsSome Final Thoughts
1) I Don’t Know of Any One Place to Find Everything You Need to Know
2) It’s Always Changing – Work Hard to Keep Up-to-date
3) Sometimes You Have to ”Go Along to Get Along”
4) Not Entering or Exiting a Restrictive Jurisdiction is Always an Alternative
5) It Will Probably Get Worse Before It Gets Better – Brexit?
Data Localization - Web.Hull@icloud.com 25
Thank You!
&
Questions?
Data Localization - Web.Hull@icloud.com 26
14
Contact InformationContact InformationContact InformationContact Information
Web Hull
Privacy, Data Protection, & Compliance Advisor
Global Privacy & Compliance Group
Telephone & Text: 401.316.3021
eMail: Web.Hull@icloud.com
LinkedIn: https://www.linkedin.com/in/webhull
Twitter: @WebHull
Data Localization - Web.Hull@icloud.com 27