Imagine you are a German company who exhibited at a security show in Nuremberg, Germany.
1) People came to your booth and handed in their business card in order to receive further information (legally, that is a consent).
2) You scan the business card, together with the notes taken at the booth and you send it via email to your colleague in Munich using Google Mail (first violation).
3) You enter the information into your CRM System: Salesforce (second violation).
4) From there, or separately, the booth visitor’s information finds its way into your marketing automation system Hubspot or your mailing list vendor Mailchimp (third violation).
Without Safe Harbor, you are at risk to be fined 3 times from your data protection agency for just this one business card. Now multiply that times the number of visitors you had at your booth!
Without Safe Harbor (or individual agreements/contracts for all interactions with EU citizens), you need to know where your data is and you need to prevent data transfer outside of the European Union at all times.
- Implement encryption: this would help in case 2) but useless in case 3) and 4).
- Use datacenters in Europe: You switch to email servers in Europe, look for a CRM in Europe and a marketing automation system in Europe. Sounds great, but your choices are limited. However, Microsoft has already announced to offer a selection of their services through T-Systems, certainly a legal way to go, but wait for the pricing …
- Seek alternative legislation: The United States could change some laws, like the Chief Legal Office from Microsoft rightfully suggests.
- Build your own datacenter or store your data at a trusted place: You use everything hosted locally or in a datacenter from a local service provider you trust (who must then prove compliance with legislation).
In any case, you can see that it‘s important to know where your data is, you need to start locating your data today – a great start is our data security checklist.
We know, trying to stay inside the laws and regulations is not always easy, but we owe it to the people we get data from – even if as small as a business card.