NIST Privacy Framework : Our Essential Data Protection Guide


How to Meet Your Compliance Obligations with Data Protection – Part 4

Information security and data privacy have merged into a new single discipline called data protection.  This article discusses using your data protection program to advance compliance with international laws, standards, and contracts.

In part 3, I described developing a data classification system as well as larger data classification program.  In part 4, I discuss how the program will help you advance compliance with international data protection laws, standards, and contracts.

Data Protection Compliance and Cross-Border Vendor Agreements

There is an unpleasant, if not troubling, phenomenon in today’s international data protection compliance practice.  It is the imposition of data protection mandates via contract.  During the run-up to the GDPR compliance deadline in 2018, I reviewed many so-called data protection addenda (or DPAs).  These contract addenda contained, at a minimum, a set of EU Standard Contract Clauses (SCCs).  SCCs are collections of data protection commitments between two parties (usually a data controller and its processor).  They’re used in cross-border (i.e., EU to non-EU) transactions.  Examples of the mandates and other terms contained in SCCs include agreeing to submit to:

  • Random audits by the counter party (i.e., the data controller);
  • The governing law of the data controller’s jurisdiction; and
  • The data subject’s choice of venue in the event of a dispute.

In particular, Clause 5 of the controller-to-processor SCCs creates a long list of tasks for the processor.  Similarly, Clause 4 contains numerous tasks for the controller.  Appendix 2 of the Clauses includes a list of technical and organizational controls that are mandated by the controller.  Often, that list includes the international data security standard ISO/IEC 27001, which sets a high bar for compliance.

What I found most troubling is that parties on both sides of the table were routinely signing addenda without truly understanding what the implications were.  In the event of a breach, complaint from a data subject, or inquiry from a supervisory authority, both parties were in for severe disruption to their day-to-day operations.

Other Cross-Border Data Transfer Mechanisms and Challenges

This problem isn’t limited to SCCs.  Other agreement-like mechanisms include the EU-U.S. Privacy Shield Framework and Binding Corporate Rules (BCRs).  Each comes with its own challenges:

  • Privacy Shield.  This is a data transfer mechanism that enables EU personal data to move to the U.S.  It features a multi-faceted binding arbitration process for resolving disputes with data subjects.  It also mandates numerous tasks for policing the use of personal data by processors and other controllers.
  • BCRs.  This is a lengthy, pre-approved, public-facing “contract” with multiple supervisory authorities.  It enables the data controller or processor to move personal data to multiple subsidiaries around the world at will.  In order to get a BCR set approved, however, the applicant has to stipulate to aggressive data protection standards and then police compliance for all of its participating subsidiaries.

In my experience, companies that participate in these mechanisms often don’t appreciate the scope of their requirements.  This is so because individual data protection mandates aren’t clearly communicated to rank-and-file employees.  The definition of personal data isn’t clearly communicated as well, leading to confusion.  Data discovery and classification (DDC) is ideally suited to advancing compliance with data protection requirements cited in contracts.

Using Data Discovery and Classification to Advance Contract Compliance

DDC’s value lies in its ability to:

  • Locate a wide variety of controlled information both on-premise and in cloud storage; and
  • Function as a control, a predicate for other controls, and a data protection program management tool.

It’s especially relevant when standards such as ISO/IEC 27001 are included.  Let’s review the examples cited earlier:

Using Data Discovery and Classification to Advance Contract Compliance

Preparing for More International Agreements and Data Protection Mandates

The passage into law and subsequent enforcement of the GDPR has had a profound impact on data protection mandates globally.  According to the IAPP, some 120 countries now may be considered to have an adequate level of protection of privacy and the use of personal data.  Brazil, for example, passed the General Law of Protection of Personal Data (or LGPD), which is their version of the GDPR.  Chapter V of the LGPD essentially copies the GDPR’s data transfer mechanisms.  Working as a unit, data discovery and classification offer unique capabilities that advance compliance with cross-border and similar agreements.  In particular, they offer the ability to:

  1. Identify and protect sensitive information in accordance with standards such as ISO/IEC 27001, the CIS CSC Top 20, and NIST SP 800-171;
  2. Advance compliance with legal and contractual obligations; and
  3. Strengthen the organization’s overall data protection program.



Information security and data privacy have merged into a new single discipline called data protection.  This article discusses using your data protection program to advance compliance with international laws, standards, and contracts.

See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).