In our continuing GDPR series, Tom Lemon, Managing Director with Protiviti’s Technology Consulting group in the UK, addresses several important questions, including the first steps to establish a defensible position and some of the data cross-border transfer mechanisms available to companies outside of the European Union. Listen to the podcast at this link. A full transcript of the conversation is below.
In-Depth Interview
Powerful Insights GDPR podcast – Tom Lemon
[transcript]
Kevin Donahue: Hello, and welcome to a new addition of Powerful Insights from Protiviti. This is Kevin Donahue, a senior director with our marketing group, and I’m pleased to be joined today by Tom Lemon, Protiviti managing director with our Technology Consulting group. Tom and I are going to be chatting a little bit today about the new General Data Protection Regulation, which has just gone into effect in the European Union. Tom, thanks for joining me today.
Thomas Lemon: It’s a pleasure.
Kevin Donahue: So, Tom, we’ll dive into a couple specific topics in a minute, but first, give me your take on this new regulation in terms of what it is and, more important, its impact on companies that are operating in the European Union.
Thomas Lemon: Sure. It’s really a step change in the rights that individuals have in Europe around the personal data that they own, and companies are having to react to that. We’re working with a lot of organizations in the UK and Europe who have joined to respond to the GDPR to achieve clients. At this stage, now that we’ve passed the effective date of May 25, it’s really about establishing a defensible position. A lot of companies are still recognizing that they have work to do to achieve compliance, and they’re trying to prioritize how they would tell the story to the authorities, should they come knocking around, the position that they got to – what they might have left to do in order to show that they are taking data protection of personal information very seriously.
Kevin Donahue: Tom, what are some of the most frequent questions you’re getting from clients and companies right now with regard to GDPR?
Thomas Lemon: One of the most common questions is, “We’re not complying. What do we need to do right now to achieve that defensible position?” which I referred to earlier. One of the things that we encourage our clients to really focus on initially, if they are in an early stage of their compliance journey, is establishing a really robust record of processing activities through a data-mapping exercise. The reason we do that is because one of the first things that the authorities would be asking for if they do come knocking is, “Show me your record of processing.” It is a mandatory artifact that the GDPR requires, and it really forms the foundation of everything that an organization should be doing in order to protect the personal data that they process.
It’s all about knowing your data, knowing the personal data-processing activities that an organization holds. If you can’t achieve that, then you’re going to be struggling to demonstrate that you’re protecting that information effectively enough. That is a very common question. It’s a common area focused still at this stage of the compliance journey, and it is something that we’re working with companies on a lot at the moment.
Kevin Donahue: Now, Tom, speaking of understanding and managing your data as a company, there’s this whole realm in that space around cross-border data transfers. First off, what exactly does that mean?
Thomas Lemon: Sure. In simple terms, the GDPR mandates that organizations can transfer personal data only to another jurisdiction that has either been deemed adequate by the European Commission itself or that is using an adequate and legally effective data-transfer mechanism to do that. Really, it’s all about just making sure that the jurisdiction and the company that that data is being transferred to will have the same level of protection measures that are required of companies that are in the EU itself.
Kevin Donahue: Is this an area, in your opinion, that organizations already are prepared for, or is this what I would call a key area of growth and development that’s going to be needed quickly?
Thomas Lemon: It can get quite complex. If your organization is based in Europe, and really there, transferring information around Europe, it’s not an issue. Any data transfers within the European Union itself, even if they are crossing between other European countries, they don’t require any particular action, because the entirety of UK comes under the GDPR.
It’s when you start to need to transfer data outside of the European Union that it gets more complex. Those data transfers could be within your own company. If you think about the global organization, typically, that would be based in many jurisdictions across the world from the EU and some outside. For those companies that are transferring data around their own group, they still need to go through the process of putting in place legally effective data-transfer mechanisms to ensure the right safeguards are in place around the personal data that they’re transferring within their company.
It’s when you start to need to transfer data outside of the European Union that it gets more complex. Those data transfers could be within your own company. If you think about the global organization, typically, that would be based in many jurisdictions across the world from the EU and some outside. For those companies that are transferring data around their own group, they still need to go through the process of putting in place legally effective data-transfer mechanisms to ensure the right safeguards are in place around the personal data that they’re transferring within their company.
The same applies when you’re working with third parties. A very common example nowadays is that a lot of people will use a cloud provider to support some of the processing activities in their business operations, and that cloud provider could have infrastructure in multiple jurisdictions across the world. Companies need to, when they’re using third parties like this to support some of the data-processing activities, make sure that appropriate safeguards and legally enforceable safeguards that are aligned to the GDPR requirements are based into the contractual arrangements that they have with those organizations.
Kevin Donahue: Tom, let me ask you one more question about this. What are some of the specific cross-border data-transfer mechanisms that GDPR allows?
Thomas Lemon: Sure. I’ll list a couple of options that companies can take into consideration. First, that there are some countries outside of the European Union that have been deemed adequate by the European Commission. These are countries and other political entities like Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, Andorra, Argentina and, to some degree, Canada as well, specific to commercial organizations in Canada. When data is being transferred to those jurisdictions, there’s nothing else that companies need to do, because the European Commission has deemed that there’s an adequate level of data protection that’s enforceable that’s equivalent to the GDPR in those countries.
In the US, I’m sure many people that are listening to this podcast are familiar with the Privacy Shield Framework. The Privacy Shield Framework allows organizations to basically self-certify to the U.S. Department of Commerce, which, in a sense, is a public commitment that they will put in place a level of protection measures equivalent to that the GDPR. Once again, those companies that have aligned themselves to the Privacy Shield Framework are allowed to transfer data outside of the E.U. into the U.S.
There are other mechanisms as well. For example, if you’re working with other third parties or, indeed, if you’re putting in place contracts with your own legal entities outside of Europe, a very common mechanism that you use is what’s known as model clause contracts, which are essentially a set of contract clauses that the European Commission has endorsed. That allows for equivalent protection measures within a company or with third parties that a company is doing business with. Once again, if that legal framework is put in place, then that allows for data to be transferred outside of the European Union as well. The various others – this is an area where companies would typically take – I would encourage them to take legal advice, but there are a couple of other options for considerations as well. Hopefully, that gives yourself and the listeners a sense of the options that are available to them when they’re thinking about cross-border data transfer.
Add comment