7 Tips for Managing Cross-Border Data Transfers

Running a global business is not an easy undertaking. It’s hard enough to lock down sources and vendors, fortify a supply chain, process orders in multiple languages and payment methods, and navigate the latest twists in shipping. Companies also must pay attention to where they’re moving and storing customer data. Missteps can result in large penalties, and excuses won’t reduce the damage by a dime. Legal counsel is vital, but as a rule of thumb, these tips can help, too.  

“Similar to packing a suitcase for a road trip, the tips for cross-border transfer can start with the usual general advice: minimize your stuff, lock it up, and manage keys carefully,” says Davi Ottenheimer, the VP of Trust and Digital Ethics for Sir Tim Berners-Lee's Inrupt.  

In the unlikely event you haven’t heard of Sir Tim Berners-Lee, he’s a rather brilliant British scientist who invented the World Wide Web (WWW) in 1989 while working at CERN. Now he’s the co-founder and CTO of Inrupt, director of the World Wide Web Consortium (W3C), and director of the World Wide Web Foundation. 

“But there’s a bigger picture here, which is that handling 'cross-border data transfers' as a legal compliance headache leaves your users with little to no understanding of where their data is being transferred, where it’s ordinarily stored, and to what degree it’s protected,” Ottenheimer adds.  

Related:Executive Order to Target Data Sold to US Foes

Maybe one day there will be an easier way to comply with regulations and consumer demand for more transparency. 

“There’s a better answer here than ever-evolving regulations and increasingly cumbersome back-end compliance requirements that leave users in the dark: What we need are technological product solutions that let users see and understand where their data lives, and where it goes, and that let them meaningfully exercise their data rights to make informed choices about how their information gets processed,” Ottenheimer says.  

Others argue that consolidating the many data privacy regulations worldwide would go far in easing the situation for both companies and consumers. 

“My overall point is that we should move toward having a multilateral treaty on data privacy and government access to data, as a means to provide more certainty for companies and to improve the overall level of data protection. My idea has not yet matured into reality, but I am confident that this will be the direction that countries eventually take in this otherwise super challenging area,” says Brian Hengesbaugh, chair of law firm Baker McKenzie’s Global Data Privacy and Security Business Unit. In his former position as special counsel to the general counsel of the US Department of Commerce, he played a key role in the development and implementation of the US government’s domestic and international policy in privacy and electronic commerce. 

Related:How to Get Your Failing Data Governance Initiatives Back on Track

Future scenarios aside, companies must still find a way to comply in the here and now, with the tech and regs we now have. 

“We have seen instances where a company has a data breach, notifies relevant authorities, and in response, the authorities ask a series of questions, including for a copy of their cross-border data transfer program. In those cases, the answer of ‘we are working on it’ is not very effective,” Hengesbaugh says. 

But a data breach is not the only way a company can get called out. 

“Companies will have challenges with works councils or data protection officers if there is not a suitable framework in place. Companies can also encounter challenges when working with customers, or in the context of mergers and acquisitions,” Hengesbaugh adds. 

With that said, let’s look at seven important tips in handling cross-border data transfers.   

1. Protect partner data handoffs  

Companies work hard to secure and properly handle data in their care, but that protection and compliance typically doesn’t extend to data exchanged with partners. This creates gaps in cross-border data transfers that can be exploited or overlooked. 

Related:How Many C-Levels Does It Take to Securely Manage Regulated Data?

“Cross-border data transfers between partners can open the door for organizations to not only breach laws and regulations without realizing, but also for malicious nation state and non-nation state actors to interfere and compromise the data,” warns George Kamis, chief technology officer at Everfox. 

“Combining audit processes with protective cybertools can create a sustainable, repeatable process that allows organizations to keep its data guarded at all times, especially when in transit to a global destination. Most importantly, these tools will ensure that organizations can continue with their business operations as usual, even when concerns arise,” Kamis adds.  

2. Trust but verify 

Partners are great for business, but they can misunderstand and make mistakes, too. Their errors can cost your organization as much as its own mistakes can. Take steps to ensure all third parties you work with comply as well.  

“Increasingly, companies that want to mature and manage their cross-border data transfers are putting in place three-part vendor risk programs that include pre-contract assessments, contractual safeguards model privacy and data protection provisions and data processing addendums (DPAs), and post-contract audits,” says Jim Koenig, a partner at Troutman Pepper and co-chair of its privacy and cyber practice group. 

The first ensures third parties meet your security requirements and provides an inventory of data transfers. The second -- contractual safeguards model privacy and data protection provisions and DPAs -- “define the specific uses and restrictions on secondary uses, including AI algorithm training, and compliance requirements,” Koenig says.  

And the last, post-contract audits, “assesses the recipient company’s compliance with the applicable data transfer laws, such as EU GDPR, Saudia Arabia, China’s PIPL and others, and specific contract requirements,” he says. 

3. Check your lawyer’s homework 

Anyone can make a mistake in working with data. And that includes your legal team. 

“Often, lawyers assisting with data transfer compliance do not take the time to discover the specific data to be transferred and whether the data can be de-identified. The best protection for personal information under privacy and global data protection laws is not to have the data to begin with!,” Koenig exclaims.  

4. Consider both ends: The to and the fro 

Don’t make assumptions on which jurisdictions prevail. Instead go the distance to make that determination. 

“First and foremost, you must ensure that the jurisdiction you are sending your data to complies with the stringent data protection requirements requested by the jurisdiction you are sending your data from. Beyond this, the data must be stored and managed in accordance with the data protection laws from its source,” advises Srini Kadiyala, CTO of OvalEdge, a data governance consultancy. 

And don’t assume that home base is safe territory to store data in either.  

“Storing data locally doesn’t guarantee compliance with privacy laws of the originating country. Don’t assume your home country’s laws don’t apply just because data crosses borders. You must understand the regulations in all relevant jurisdictions,” says Compliance Risk CEO Tim Golden. 

5. Check compliance across data life cycle 

Compliance requirements may not end where you think they do. To avoid serious trouble, check to make sure you fully understand what is expected. 

“Companies must protect data in all of its phases -- at rest, in transit and in use -- throughout its lifespan, with a plan in place for data destruction. In addition, companies must vet all partners who will have access to the data they control to ensure that their security and use policies are appropriate,” says Ron Hawkins, Security Industry Association director of industry relations. 

6. Consider more than just the law 

Being compliant with the law is certainly the core mandate. But there is more at play than you may realize, and those factors can cause you trouble, too.  

“Many companies underestimate the significance of data sovereignty laws. These laws will become more important in the future, as the effects that technology has on society become more exacerbated,” says Yale Fox, IEEE Member and CEO at Applied Science. “Failure to consider the impact of geopolitics such as trade restrictions can further complicate data transfers. Addressing these challenges requires planning, awareness, and continuous policy updates.” 

7. Plan to fail 

Mitigating risk is the point of compliance. But always remember that mitigating isn’t the same as eliminating.  

“Cross-border data transfers is an increasingly complex and challenging field to navigate, let alone manage,” says Joe Jones, research and insights director at the International Association of Privacy Professionals. “Zero risk is seldom achievable. Managing organizational risk by reference to a clear understanding of data inventory, applicable laws, and risk appetite is critically important,” he says. 

Plan for the inevitable misstep. Even if you manage risks down to the most minute detail, your company is likely to overlook something.  

“A common misconception is that an individual merely accessing data in another country doesn’t count as a data transfer. It very often does qualify as a data transfer and it’s very often restricted under international privacy laws, unless certain exemptions apply or certain transfer mechanisms are used,” Jones warns.