Behind Complyon: CEO and Co-founder Julie Suhr shares her compliance journey

Can you talk a little about your background in compliance?

“I have a background in consulting and IT management. In my time at Deloitte, my role involved implementing the personal data act (which was the previous privacy law). As part of this, I also worked with implementing some IT security frameworks, such as ISO-standards, cyber security frameworks, and IT risk analysis. At the time, there were just a few people interested in this area, but then all of a sudden the GDPR came, and everyone was suddenly much more interested.

Deloitte offered me a really thorough education in the field of data privacy and security, but it was only by the time I started working in IT that it was becoming a hot topic. To me, that created an opportunity  where I could say ‘okay, I can take this area here and the difficulties in it, and make it into something that can be standardised and resolved again and again’. And we did this – with great success.”

What did you learn from these previous experiences?

“I developed a deep knowledge about how to secure IT systems in a proportional way. But I also learned that this security was never really linked to what the company did in their core business, and it was frustrating that no one ever really cared about knowing and understanding where risk lay within the business. 

The common understanding was that IT and IT security fulfil a purpose tied to the business, but solo work and policies were kept in the IT department based on the intention of providing proof to auditors they had been done. I didn’t feel like this created true value for the CEO, or the company as a whole.”

Can you explain a bit more about these frustrations in how companies manage their data security?

“The difficulty was that what IT did and knew lacked integration to other parts of the company.

In large companies, it’s very common that concepts most of the company find difficult to understand become unimportant to know, so are IT knowledge only. I felt like I’d spent so much time gaining understanding around these processes which are important for the entire company, and I was frustrated there was never an intention to make it matter, and help the rest of the company understand the importance of compliance. 

This then became part of the basis and the passion which Complyon was developed from.”

Why did you choose to develop Complyon?

“When working as consultants, the long, long implementation process for compliance solutions helped us realise this compliance isn’t something with just one end result. For instance, if a client needs to be able to pull seven reports, then over one year they need tens of thousands of consulting hours, and every week they need a new overview of the project, and they need to be able to pull several hundred different views on the work. This requires a data model where everything is interrelated, otherwise companies end up in a blind spot.

From the very beginning, when we started our own solution, the end goal was interrelated data. A lot of other compliance solutions base themselves on existing risk analysis solutions in companies, for example Excel spreadsheets that can become dynamic, but this just further deepens siloes – or creates new ones. Even when a new GDPR solution is added, it often just creates a new silo, because you can pull the reports you need for GDPR at the time, but there’s no capacity in the solution for other reports you might need down the line. 

But because we’ve spent so many hours in all angles of the compliance process, we truly understand the long-term importance of ensuring all data is connected and can be understood, and that’s the aim that’s behind Complyon and the basis for what Complyon offers. I think our ambition has been a bit more long term from the beginning, and that’s both an advantage and a challenge.”

Can you explain a bit more about why silos are problematic for compliance?

“Silo and assessment-based mapping are often the solution when no compliance system has been implemented before. This is for a few reasons, but mostly because it does the immediate job at hand, and because most compliance happens from within legal resources, where people are not used to buying software. Initially, they think it’s important to build on existing spreadsheets and make them more dynamic. However, the cons of this are that eventually, if you’re a large company, it results in so many different assessments and a lot are unnecessary. 

People find that they’re happy for a year or two, then they discover the blind spots in their solution. We avoid these difficulties and silos through interrelated mapping in our system.”

Is interrelated mapping how Complyon differentiates from other compliance solutions?

“Yes, this and the fact that we’re born from a very enterprise-mature need.

We don’t come from smaller companies who just want a tool to fix compliance in a way which is simple to understand. This is one of the reasons we had so much success in consultancy: the stakeholders we were working with were the best in the field, so they were really good at challenging us and requiring new improvements. We were constantly pushed, and constantly learning and growing and becoming more ambitious along with that. 

We have a lot of knowledge and a really mature data model that looks much further into the future than other solutions – we understand the need for continual data management and the security of knowing you can comply with every data need. It gives us an advantage but also a challenge, as we need to educate smaller companies about the challenge they are facing, and the benefits that working with an interrelated data model gives them.

I feel like the markets are still only just starting their journey of beginning to realise the importance of data security, and it’s a long way to maturity. It’s pretty normal, when a new area such as compliance comes into play, that it just takes time and can take years before everyone realises the importance. It creates an interesting and challenging arena for us now – we’re challenged to be better and better, and also help people realise the importance more and more.”

What one piece of knowledge would you give to smaller companies about compliance?

“To think more long term, and consider the long term success of their compliance. It’s not a case of just being able to run a report now, but it’s knowing you will always be able to run that report and can trust that you know and understand your data and compliance needs. 

Also, it’s a must that legal, IT, and the business work with the same pieces of information, so connecting them all is so important. They may not be departments that traditionally talk to each other, but they’re all using the same data and it makes the process so much easier when they are connected and working together.”

What does the future look like for Complyon?

“We definitely have an international focus – we don’t see any sense in making a tool that can help people all over the world and keeping it within Denmark, when it could be making such a difference. We also still need to have a focus on making our solution just as simple as other solutions, and continuing to educate the market to help them understand this.

And we are realising that we would like to add some machine learning. Everyone wants to automate the process more, because it saves so many hours. There’s great potential to implement machine learning to give suggestions, e.g. in recruitment processes and data flows, and the full overview of data creates the exciting possibility for offering suggestions and increasing automation.”


Everything you need to know about third country data transfers

For any business dealing with data transfers outside of the EEA, July 16th, 2020, is a significant and undoubtedly problematic date.

Without the right tools, knowledge, and practices in place, keeping large volumes of potentially sensitive data safe and compliant under GDPR can already be an undeniably complex process. However, after the infamous July 2020 “Schrems II” ruling by the Court of Justice of the EU (CJEU), this process became even trickier for any organization with personal data operations in ‘third countries’ – such as the US. 

Despite the release of post-Schrems II statements and guidelines, many in the US, EU, and the UK are struggling to put the far-reaching implications of the CJEU’s judgment into practice, leading to a high level of confusion and potentially risky interpretations.  

Whether you’ve never heard of Max Schrems before or are looking for tips to better protect your organization’s data, in our below guide, we run through everything you need to know about third country data transfers in 2021, including:

  • What exactly is Schrems II? A brief overview.
  • What are some examples of third-country data transfers?
  • Why are some businesses finding third-country transfers problematic?
  • What steps should businesses take to improve third country data transfers?

What exactly in Schrems II? A brief overview.

Schrems II all started with a business that is no stranger to making global headlines concerning data: Facebook. 

In 2013, privacy activist Max Schrems filed a complaint with the Irish Data Protection Commissioner, arguing the transfer of his personal data from Facebook’s legal premises in Ireland to Facebook Inc. in the US breached the EU-US Safe Harbour

The Safe Harbour had previously enabled free data flow between the EU and the US. However, Schrems took issue with the fact that under the US Foreign Intelligence Surveillance Act (FISA), the US National Security Agency has the right to access any data entering the country, including information belonging to non-US citizens.  

Schrems won his legal case, and in October 2015, the CJEU declared the Safe Harbour invalid. In response, Facebook challenged the ruling, citing their reliance on EU’s Standard Contract Clauses for best practice data protection. After the Irish DPC rejected Facebook’s latest case, Facebook invoked the infamous EU-USA Privacy Shield

Replacing the defunct Safe Harbour, The Privacy Shield (designed by the US Department of Commerce and the European Commission and Swiss Administration) once again legalized personal data transfers across the Atlantic. The Privacy Shield quickly became a common framework for any company transferring data to any third country. 

That was until Schrems round two, when the CJEU ruled the Privacy Shield invalid on July 16th, 2020. Under GDPR set out in Chapter V (Articles 44 to 50), personal data transfers from the EU to a third country (aka any country other than an EU member state and the three EEA countries -Norway, Iceland, and Liechtenstein) were now illegal if they used the Privacy Shield or solely relied on SCCs for compliance. 

Companies were now ordered to apply an ‘adequate level of protection’ and take additional steps to guarantee data is as safe and compliant in a third country as it is in the EU. With most major tech and communication companies based in the US, Schrems II has had major implications for thousands of businesses in the US, EU and UK (which has only recently been spared potential further disruption by a new EDPB official opinion).

What are some examples of third-country data transfers?

The Schrems II ruling sent such big shockwaves through the GDPR world due to the wide spectrum of data scenarios now considered third country data transfers. Essentially, irrelevant of size or sensitivity, any data transfer from the EU to a third country is affected by the July law. 

Here are a few examples of what is considered a third country data transfer:

  • An EU sales division uses a CRM service based in the United States. The EU company sends data to the CRM provider, who can then view and process data, such as client contact details, the status of a sales pipeline, and records of recent conversations with prospects.
  • An EU business uses the company’s centralized human resources provider in its Australian office. For a new round of hires, the company sends information about candidates and the interview process to the Australian service.
  • An EU marketing company uses a US-based email marketing vendor to distribute company newsletters to their employees or customer database. The organization sends on personal data such as names, email addresses, and demographics to the service to create, segment, and distribute its newsletters.

In all these scenarios, data is leaving the EU to be processed or used in a third country, meaning post-Schrems II data measures need to be applied.

It is important to note that the ICO raises the point that “a transfer is not the same as a transit.” According to the ICO,  if personal data is routed through a non-EU country, but that information is sent from one EU business to another (with no interference from a third country), you do not have to implement additional transfer protocols.

Why are some businesses finding third-country transfers problematic?

Despite the release of a series of guidelines from EU institutions concerning how new ‘adequate levels of protection’ can be achieved, for many businesses, there is still much confusion around the July 2020 ruling. 

Complyon’s GDPR and Compliance specialist, Alexandra Sigursteinsdóttir, explains further:

“Under Schrems II, there are all these different points that a company needs to be able to live up to, and some are much harder to demonstrate than others. One major example is that a third country cannot put your information at a larger risk than if it were under the EU’s protection.
In reality, this concept of equal protection is almost impossible if you’re talking about data transfers to the US. American authorities are entitled to view that data in line with anti-terrorism policies, and therefore, data is automatically categorized as more at risk.

But with so many companies based in the US, particularly in marketing and communications such as Hubspot, Google, Mailchimp, and Salesforce, European businesses can’t simply stop working with them, especially if they have no viable EU alternative.”

As Alexandra points out, the fact that EU-US personal data transfers are technically forbidden isn’t the only issue facing many European businesses:

“Most people have got the theoretical part right. So, step one, assess the country you’re going to be sending data to. Step two, assess the actual data transfer (for example, what kinds of data is it and who are you sending it to?). Step three, ask yourself if you can do anything additional to ensure that people’s data is safe such as data minimization, pseudonymization, and anonymization. They also know to follow issued guidelines from the EDPB on transfer tools and to take any supplementary measures if required.

However, applying this theory is much more complex. Within the market, a lot of people have read the rules and realize if they have to apply these additional measures to every single data transfer their company does, it’s an incredible amount of work. 

Imagine you’re buying a service that requires you to send data outside of the EU, such as sending out emails or daily newsletters via a US vendor; you’d spend all of your time simply assessing data scenarios and implementing data protection policies rather than getting on with your workload.

As it’s impractical, and in most cases impossible, to make a data assessment for every single data transfer, many people are essentially at a stage where they’re defending their data practices by making regular rather than individual assessments. 

But one company’s definition of a regular assessment will differ from another’s – for some, a regular basis is once a week; for others, it’s a month or every half year. Then, there’s the question around frequency and the nature of data being transferred. Does the frequency of assessments change with data that’s more sensitive or voluminous? 

What’s becoming clear is that Schrems II has led to a huge variation of processes and opinions, with no clear understanding of the best way to put theory into practice.”

What steps should businesses take to improve third country data transfers?

While the confusion surrounding how to safely and legally transfer information to third countries may sound daunting, it’s helpful to remember that a business is yet to be penalized for third country data activity. Most companies might not be getting it right, but they’re also not being punished for doing so.

This said, a lack of GDPR fines around third country data isn’t a free pass to treat data as you would under the Privacy Shield. As the situation evolves, there is no doubt that firmer regulations will come into play, and businesses with solid foundations and processes will find it much easier to transition to new compliance measures. 

If you’re looking to start improving or implementing best practice policies around third country data transfers, Alexandra shares her top four tips below:

1. Assess your third country’s data laws thoroughly and regularly.

“Start by assessing the country you intend to transfer your data to, so you have a very good overview of the laws and regulations in place around data protection. Then you can make a call on how safe your transfer is and the protection measures you need to take.

Make assessing the third country’s data laws and regulations a constant process. If a new law comes along, you don’t want to be asleep in class and miss out on a ruling that finds you in breach of an important clause.”

2. Get data mapping

“After you assess the country you’re transferring to, you need to assess the specific transfer itself. To do this, you need to have a robust data mapping process in place to give you a full picture of the data you’re dealing with. This oversight allows for more effective data minimization, helping you work out if you can scale down a transfer, reducing compliance issues.

Data mapping also helps you work out if you’re dealing with any particularly sensitive data and identify if additional steps are necessary to protect that data in its transfer.”

3. Apply additional security measures

“Where sensitive data has been detected, apply the appropriate level of supplementary security measures – whether that’s encryption, pseudonymization, or anonymization.

In the case that there is a breach or interception, you want to make it as hard as possible for someone to detect the person behind your data. Can you give your data subjects an ID number instead of a name, for instance, or double encrypt your dataset, so the recipient needs an encryption key to access your information?”

4. If in doubt, onboard a GDPR consult

“GDPR can be complex and requires businesses to be completely up-to-date with the latest rules and regulations in third countries and the EU. Having a specialist to hand also gives you peace of mind that you’re always compliant with the latest industry ruling.

An external GDPR consultant can help you work out the best approach for your business. For example, I often see companies over-investing in unnecessary risk assessments when they simply need to have a more structured data mapping process in place that would save them time and money.

I’ve heard many people describe it as though they feel like they’re drowning in data, rules, and processes sometimes, which is never good. A GDPR consultant can help take away that stress by streamlining your operations while optimising compliance.”

If you’d like to learn more about how Complyon’s expert GDPR consultants can assist your team or would like to discuss the benefits of our data mapping software, we’d love to talk. Simply contact us here, and we’ll be in touch.