International companies never finish compliance with data protection and privacy laws because of constant modifications or new countries presenting their versions. Existing laws, like the General Data Protection Regulation, forced companies to change their data behaviors. But international companies are never done scrutinizing or re-evaluating the technologies that jeopardize their compliance.
While cost and operational efficiency is always a consideration for integrating suppliers, preference and different international viewpoints are "a bit of a tightrope we have to walk," said Jeff Greene, CISO of International Paper, while speaking at the virtual Forrester Security and Risk Global 2020 conference Wednesday.
"When you're thinking about privacy law, whether it's GDPR, or any of these others, you can't just focus internally on your own company, you've got to think about your whole supply chain," said Greene.
CISOs have to pay equal attention to the wants of vendors or technology departments and privacy regulations depending on where the technology lives. Varying international data regulations further complicates and intensifies supplier divisions between departments.
For certain supplier decisions, "governments take the choice out of your hand, they're prescriptive, and they mandate certain technologies over and under in those cases," said Greene.
When the Court of Justice in the European Union (CJEU) overruled the EU-U.S. Privacy Shield in July, more supplier decision power was taken from U.S.-based businesses. Privacy Shield, which allowed big tech to transfer EU data to the U.S., impacted about 5,000 U.S. companies. The overturn, also known as the Schrems II decision, required U.S. businesses to act fast in terms of how they transfer international consumer data.
Third-party services that relied on Privacy Shield to transfer protected data, "are now services in question," and could be invalidated, said Greene.
"We had to change processes, we had to implement new solutions. And there was there was cost associated with that."
CISO of International Paper
Prior to Schrems II, trusted data transfers were monitored by regulatory bodies under GDPR. But Schrems II concluded EU-U.S. data transfers, its protection, and regulatory compliance with the data's country of origin, is inadequate.
While Schrems II was unexpected, the European Commission's Standard Contractual Clauses (SCC) are serving as pseudo Privacy Shield alternatives. However, SCCs are not enough for sidestepping major compliance issues because there are caveats. The CJEU called into question how effective mechanisms, like SCCs, are for data transfers under GDPR.
International Paper is facing those caveats in real time because understanding legal data transfers right now is difficult, said Greene.
Greene had SCCs in place prior to the ruling but is now re-evaluating each of the paper company's vendors. "We're still working through the process to make sure we don't have any gaps or exposures" upstream in International Paper's supply chain.
Some privacy regulations are easier to tackle than others. GDPR, for example, is goals-based, providing companies flexibility to comply. The regulation allows companies to find their means to an end. On the other hand, the Russian data protection law, which initially required companies processing or storing Russian citizen data within the country, is more explicit in terms of its compliance, said Greene.
"We had to change processes, we had to implement new solutions. And there was there was cost associated with that," said Greene.
The less rigid a regulation, the more often companies have to evaluate their processes. "I would say, for anybody in the information security space listening to this today, your legal department is your best friend," said Greene.
Sometimes International Paper has to purposefully duplicate solutions to "comply with laws that may be in place around restrictions of certain technologies from one vendor or another," said Greene. "It's an evaluation every single time."
While international harmonization of data protection and privacy would be nice, it's not a reality. Just as companies expect the U.S. to have a patchwork of state laws, the same is true for international countries.
Companies will be forced to face the politicization of the process, something security leaders have to get comfortable with dealing with, according to Jinan Budge, principal analyst at Forrester, while speaking at the virtual event.
"We're in the situation, we're in it to a large degree, because there's so much distrust from from one country in one region to another, but we can't control that," said Greene. What CISOs can control is their access points and data governance so they are more able to absorb regulatory changes.