Everything you need to know about third country data transfers

For any business dealing with data transfers outside of the EEA, July 16th, 2020, is a significant and undoubtedly problematic date.

Without the right tools, knowledge, and practices in place, keeping large volumes of potentially sensitive data safe and compliant under GDPR can already be an undeniably complex process. However, after the infamous July 2020 “Schrems II” ruling by the Court of Justice of the EU (CJEU), this process became even trickier for any organization with personal data operations in ‘third countries’ – such as the US. 

Despite the release of post-Schrems II statements and guidelines, many in the US, EU, and the UK are struggling to put the far-reaching implications of the CJEU’s judgment into practice, leading to a high level of confusion and potentially risky interpretations.  

Whether you’ve never heard of Max Schrems before or are looking for tips to better protect your organization’s data, in our below guide, we run through everything you need to know about third country data transfers in 2021, including:

  • What exactly is Schrems II? A brief overview.
  • What are some examples of third-country data transfers?
  • Why are some businesses finding third-country transfers problematic?
  • What steps should businesses take to improve third country data transfers?

What exactly in Schrems II? A brief overview.

Schrems II all started with a business that is no stranger to making global headlines concerning data: Facebook. 

In 2013, privacy activist Max Schrems filed a complaint with the Irish Data Protection Commissioner, arguing the transfer of his personal data from Facebook’s legal premises in Ireland to Facebook Inc. in the US breached the EU-US Safe Harbour

The Safe Harbour had previously enabled free data flow between the EU and the US. However, Schrems took issue with the fact that under the US Foreign Intelligence Surveillance Act (FISA), the US National Security Agency has the right to access any data entering the country, including information belonging to non-US citizens.  

Schrems won his legal case, and in October 2015, the CJEU declared the Safe Harbour invalid. In response, Facebook challenged the ruling, citing their reliance on EU’s Standard Contract Clauses for best practice data protection. After the Irish DPC rejected Facebook’s latest case, Facebook invoked the infamous EU-USA Privacy Shield

Replacing the defunct Safe Harbour, The Privacy Shield (designed by the US Department of Commerce and the European Commission and Swiss Administration) once again legalized personal data transfers across the Atlantic. The Privacy Shield quickly became a common framework for any company transferring data to any third country. 

That was until Schrems round two, when the CJEU ruled the Privacy Shield invalid on July 16th, 2020. Under GDPR set out in Chapter V (Articles 44 to 50), personal data transfers from the EU to a third country (aka any country other than an EU member state and the three EEA countries -Norway, Iceland, and Liechtenstein) were now illegal if they used the Privacy Shield or solely relied on SCCs for compliance. 

Companies were now ordered to apply an ‘adequate level of protection’ and take additional steps to guarantee data is as safe and compliant in a third country as it is in the EU. With most major tech and communication companies based in the US, Schrems II has had major implications for thousands of businesses in the US, EU and UK (which has only recently been spared potential further disruption by a new EDPB official opinion).

What are some examples of third-country data transfers?

The Schrems II ruling sent such big shockwaves through the GDPR world due to the wide spectrum of data scenarios now considered third country data transfers. Essentially, irrelevant of size or sensitivity, any data transfer from the EU to a third country is affected by the July law. 

Here are a few examples of what is considered a third country data transfer:

  • An EU sales division uses a CRM service based in the United States. The EU company sends data to the CRM provider, who can then view and process data, such as client contact details, the status of a sales pipeline, and records of recent conversations with prospects.
  • An EU business uses the company’s centralized human resources provider in its Australian office. For a new round of hires, the company sends information about candidates and the interview process to the Australian service.
  • An EU marketing company uses a US-based email marketing vendor to distribute company newsletters to their employees or customer database. The organization sends on personal data such as names, email addresses, and demographics to the service to create, segment, and distribute its newsletters.

In all these scenarios, data is leaving the EU to be processed or used in a third country, meaning post-Schrems II data measures need to be applied.

It is important to note that the ICO raises the point that “a transfer is not the same as a transit.” According to the ICO,  if personal data is routed through a non-EU country, but that information is sent from one EU business to another (with no interference from a third country), you do not have to implement additional transfer protocols.

Why are some businesses finding third-country transfers problematic?

Despite the release of a series of guidelines from EU institutions concerning how new ‘adequate levels of protection’ can be achieved, for many businesses, there is still much confusion around the July 2020 ruling. 

Complyon’s GDPR and Compliance specialist, Alexandra Sigursteinsdóttir, explains further:

“Under Schrems II, there are all these different points that a company needs to be able to live up to, and some are much harder to demonstrate than others. One major example is that a third country cannot put your information at a larger risk than if it were under the EU’s protection.
In reality, this concept of equal protection is almost impossible if you’re talking about data transfers to the US. American authorities are entitled to view that data in line with anti-terrorism policies, and therefore, data is automatically categorized as more at risk.

But with so many companies based in the US, particularly in marketing and communications such as Hubspot, Google, Mailchimp, and Salesforce, European businesses can’t simply stop working with them, especially if they have no viable EU alternative.”

As Alexandra points out, the fact that EU-US personal data transfers are technically forbidden isn’t the only issue facing many European businesses:

“Most people have got the theoretical part right. So, step one, assess the country you’re going to be sending data to. Step two, assess the actual data transfer (for example, what kinds of data is it and who are you sending it to?). Step three, ask yourself if you can do anything additional to ensure that people’s data is safe such as data minimization, pseudonymization, and anonymization. They also know to follow issued guidelines from the EDPB on transfer tools and to take any supplementary measures if required.

However, applying this theory is much more complex. Within the market, a lot of people have read the rules and realize if they have to apply these additional measures to every single data transfer their company does, it’s an incredible amount of work. 

Imagine you’re buying a service that requires you to send data outside of the EU, such as sending out emails or daily newsletters via a US vendor; you’d spend all of your time simply assessing data scenarios and implementing data protection policies rather than getting on with your workload.

As it’s impractical, and in most cases impossible, to make a data assessment for every single data transfer, many people are essentially at a stage where they’re defending their data practices by making regular rather than individual assessments. 

But one company’s definition of a regular assessment will differ from another’s – for some, a regular basis is once a week; for others, it’s a month or every half year. Then, there’s the question around frequency and the nature of data being transferred. Does the frequency of assessments change with data that’s more sensitive or voluminous? 

What’s becoming clear is that Schrems II has led to a huge variation of processes and opinions, with no clear understanding of the best way to put theory into practice.”

What steps should businesses take to improve third country data transfers?

While the confusion surrounding how to safely and legally transfer information to third countries may sound daunting, it’s helpful to remember that a business is yet to be penalized for third country data activity. Most companies might not be getting it right, but they’re also not being punished for doing so.

This said, a lack of GDPR fines around third country data isn’t a free pass to treat data as you would under the Privacy Shield. As the situation evolves, there is no doubt that firmer regulations will come into play, and businesses with solid foundations and processes will find it much easier to transition to new compliance measures. 

If you’re looking to start improving or implementing best practice policies around third country data transfers, Alexandra shares her top four tips below:

1. Assess your third country’s data laws thoroughly and regularly.

“Start by assessing the country you intend to transfer your data to, so you have a very good overview of the laws and regulations in place around data protection. Then you can make a call on how safe your transfer is and the protection measures you need to take.

Make assessing the third country’s data laws and regulations a constant process. If a new law comes along, you don’t want to be asleep in class and miss out on a ruling that finds you in breach of an important clause.”

2. Get data mapping

“After you assess the country you’re transferring to, you need to assess the specific transfer itself. To do this, you need to have a robust data mapping process in place to give you a full picture of the data you’re dealing with. This oversight allows for more effective data minimization, helping you work out if you can scale down a transfer, reducing compliance issues.

Data mapping also helps you work out if you’re dealing with any particularly sensitive data and identify if additional steps are necessary to protect that data in its transfer.”

3. Apply additional security measures

“Where sensitive data has been detected, apply the appropriate level of supplementary security measures – whether that’s encryption, pseudonymization, or anonymization.

In the case that there is a breach or interception, you want to make it as hard as possible for someone to detect the person behind your data. Can you give your data subjects an ID number instead of a name, for instance, or double encrypt your dataset, so the recipient needs an encryption key to access your information?”

4. If in doubt, onboard a GDPR consult

“GDPR can be complex and requires businesses to be completely up-to-date with the latest rules and regulations in third countries and the EU. Having a specialist to hand also gives you peace of mind that you’re always compliant with the latest industry ruling.

An external GDPR consultant can help you work out the best approach for your business. For example, I often see companies over-investing in unnecessary risk assessments when they simply need to have a more structured data mapping process in place that would save them time and money.

I’ve heard many people describe it as though they feel like they’re drowning in data, rules, and processes sometimes, which is never good. A GDPR consultant can help take away that stress by streamlining your operations while optimising compliance.”

If you’d like to learn more about how Complyon’s expert GDPR consultants can assist your team or would like to discuss the benefits of our data mapping software, we’d love to talk. Simply contact us here, and we’ll be in touch.

The case for privacy software: 6 reasons why you need to invest

The end of an excel era

There are a number of culprits responsible for the death of the spreadsheet in today’s privacy practices.

First, there’s enterprise data, which has become more voluminous and sprawling than ever. Next, you’ve got cybersecurity threats, with breaches at an all-time high and hackers adopting increasingly sophisticated or devious behaviors (according to FinTechNews, 85% of people posting puppy photos are apparently trying to scam you). 

Then there are issues of data-savvy customers and global privacy regulations, which place heavy financial, reputational, and legal pressures on any company that handles data. 

Against these progressively powerful factors, traditional and manual spreadsheet strategies no longer stand a chance. Particularly as privacy regulations are becoming more established and regulators more rigorous, smart businesses are realizing the important role privacy software plays in the fight against data anarchy.

While compliance is undoubtedly the main driver behind this wave of interest surrounding privacy software, the business benefits of privacy tools stretch far beyond this primary driver.

If you’re looking to build a case for investing in privacy software, you’ll find six of these major benefits below.

1. Increasing compliance

Keeping in line with GDPR and CCPA regulations is a complex task. One of the main ways companies can simplify compliance processes is to arm employees with the tools they need to track, organize, and manage the data they handle.

However, recent analysis of imposed GDPR fines suggests that many companies still don’t have sufficient resources or policies in place to manage their data effectively. In fact, according to Forrester’s alarmingly titled study, ‘Guess what? GDPR enforcement is on fire!’ failures of data governance have triggered more fines and penalties than security breaches. 

Forrester found that DPAs have primarily acted against the infringement of Article 5 (principles of processing of personal data) and Article 6 (lawfulness of processing), which cover issues such as fairness of processing and the amount of data a company collects from a customer.

The 2020 study also found that most current enforcement actions involved data access requests and data deletion issues. It highlighted a case in Germany where a property company was fined €14.5 million for its inability to delete customer data correctly. 

Combining automation, AI, and intuitive interfaces, the best privacy software companies give users clear visibility over how data moves through an organization. Unlike manual processes, which can be messy, time-consuming, and fail to match the speed and volume of enterprise data, privacy software such as Complyon makes it easy to discover exactly where data resides, as well as why, and by whom it’s processed.  

Ditching spreadsheets, Complyon’s privacy compliance software offers a multi-layer view of where your data and systems interact, providing a clear, visual overview that maps out data flows to allow employees to quickly locate files, provide documentation of their activity, identify risk, and isolate potential breaches. 

2. Safeguarding customer trust

Today’s customer, whether B2B or B2C, is far more interested in and knowledgeable about their data rights. 

As reported by Cisco’s consumer privacy survey, 84% of people care about the privacy of their data, with 80% stating they are willing to protect it and 48% indicating they’d already switched companies or providers due to poor data policies or sharing practices.

With customers demanding more trust and transparency, businesses need to respond to individual queries quickly, while offering total visibility over data storage, movement and archiving. 

Currently, this is not often the case. In Gartner’s 2019 Security and Risk Survey, two-thirds of respondents revealed it took them two weeks or more to respond to a single SRR. If you’re the customer in this scenario, two weeks is a long, frustrating time to wait for the information you need.

Through data mapping, privacy software gives you everything a customer needs to know about their data within a few moments. It can locate where a customer’s data is being stored, how it is being used, and who has come into contact with that data. 

By reducing response times to queries, privacy software helps maintain customer trust and loyalty, reassuring your customers that you know what you’re doing and that you take data protection as seriously as they do.

3. Uncovering new insights and trends

To work effectively, privacy software requires a business to collect all its data and collate it in one centralized location. This process means each department has to thoroughly examine the data it stores and manages, gathering information from a wide variety of sources.

Organizing decentralized data in this way is hugely beneficial. When an enterprise pools its data, it helps to break down data silos, potentially leading to valuable inter-departmental insights. For example, information gathered by a customer services team could help a marketing department tailor their messaging for more effective campaigns. Or, the product team could come up with a new feature following feedback received by their IT colleagues.

Similarly, at a department level, when privacy management software collates and centralizes information from every app, folder, desktop, and inbox, it becomes much easier to find deep insights and patterns in your data – particularly compared to if that data is dispersed or inaccessible. 

By implementing privacy software practices, vast volumes of data become meaningful assets, acting as a company’s secret weapon rather than their Achilles’ heel. You’re able to recognize trends that previously would have gone unnoticed, steering you towards more strategic, data-driven decisions. 

4. Improving third-party risk management 

According to Forrester, although third-party risk management is nothing new on the privacy scene, it’s set to be ‘the next big thing in the privacy arena.’

For anyone involved with managing third-party data, this prediction will come as no surprise. As watertight as your data policies and practices may be, if vendors, distributors, or any other partner falls short of your standards, they not only pose a potential security threat on your ecosystem but a risk to your company’s reputation. 

Privacy software tools offer businesses greater oversight and control over how partners store and process data, allowing for early detection of any compromising practices. For example, Complyon provides companies with the tools they need to work collaboratively with third parties, integrating external databases into one centralized system that incorporates third-party data processing agreements and inspections.

5. Recovering quicker from data breaches

While it’s true most GDPR fines have been triggered by data processing errors rather than data security, breaches are still a threat no organization can take for granted. 

This year alone has seen a 273% year-on-year increase of cyberattacks, with over 16 billion records exposed and high profile cases targeting global players such as Marriott, MGM resorts, Zoom, Nintendo, EasyJet and Twitter, which notably found hackers had accessed the accounts of top US figures, including Barack Obama, Joseph R. Biden Jr., Elon Musk, and Bill Gates.

Investing in privacy software doesn’t guarantee 100% immunity against cyberattacks. However, recent studies have shown that it does provide substantial benefits for breach prevention and management.  

For instance, out of the 2800 security professionals surveyed in Cisco’s Annual Cybersecurity Benchmark Study, those who worked at organizations with higher privacy investments were over twice as likely to be breach-free (28%). This higher accountability group also found the impact and cost of a breach to be significantly lower, with 19% less downtime from breaches, 28% fewer records impacted, and 10% lower breach costs. 

6. Boosting ROI on privacy spending

Another key finding from Cisco’s 2020 Cybersecurity Study is a handy benefit for anyone pitching for more budget for their privacy software investment. 

Analyzing data on privacy spending and benefits, Cisco’s report estimates that for every dollar of investment a company makes, it receives $2.70 worth of benefit. The study revealed that 47% of companies are seeing greater than twofold return on privacy investments, 33% are breaking even, and only 8% spent more than they are receiving back in benefits. 

Benefits included all points we’ve covered so far, as well as additional advantages such as achieving a competitive edge, enabling agility and innovation, and making a company more attractive to investors. 

Cisco was also quick to point out that returns didn’t vary significantly by company size. Although larger companies were indeed spending more, the ratio of benefits to spending was similar across all company sizes. 

Final thoughts on privacy software

In an age where privacy regulations (and enforcements) are ramping up, enterprise data is exploding in volume, and customers are increasingly data savvy, the case for investing in privacy management software has never been more pressing. 

With the ability to simplify compliance processes, retrieve valuable new insights, protect customer relationships and offer additional breach protection, there is no doubt that privacy software should be a key component of any tech stack that processes private data. 

If you’d like to learn more about how Complyon’s privacy software can benefit your business or would like to discuss software privacy issues in more detail, we’d love to talk. Simply contact us here and we’ll be in touch.