In the face of political uncertainty, organizations are challenged every day to keep the personal data they hold safe across their entire ecosystem. They must be sure that their partners, suppliers and other third parties are also keeping the organization’s data safe. As well, the growth of technologies such as machine learning and artificial intelligence (AI)—and the reputational damages associated with personal data breaches, such as improper use or sharing of data—are increasing the focus on how ethically organizations treat personal data.
Boards and senior executives are concerned about the impact of data privacy on meeting financial and strategic goals and are realizing that a strong approach, underpinned by the right program and platform, delivers the key to ensuring compliance and winning customer trust. However, given the increased unpredictability of government actions, it’s imperative that organizations be able to respond with agility to changes in laws, regulations, trade deals and other types of agreements that impact data flows.
Catching Data Flows in Politics
The regulatory landscape is evolving rapidly. The EU’s General Data Protection Regulation (GDPR) recently hit its first anniversary, and in the U.S., California just passed its California Consumer Privacy Act (CCPA)—and other states are considering similar legislation, as is the federal government. Globally, data privacy regulation will only increase over the next five years.
Currently, we operate under what’s known as the Privacy Shield Frameworks that govern the commercial flow of data between the U.S. and the EU and the U.S. and Switzerland. The frameworks were created by regulators in support of transatlantic commerce to provide companies from each region with guidelines to comply with data protection requirements when transferring personal data form the U.S. to the EU and Switzerland. While the frameworks were authorized for another year in December 2018, the EU has expressed reservations due to the lack of data privacy legislation at the national level in the U.S. and maintains concerns about federal legislation taking hold, given the current political climate.
The EU is also worried about the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943), passed by Congress in 2018, which obligates U.S. service providers to comply with U.S. orders to disclose data, regardless of its storage location. The EU additionally continues to have issues with the reauthorization of the Foreign Intelligence Surveillance Act (FISA), which allows access to communications of foreigners outside the U.S. Both laws directly conflict with GDPR and limit the protections available over EU citizens’ data privacy.
These ongoing concerns could delay the renewal of the Privacy Shield next year, which could, in turn, bring a serious impact to the flow of data between the EU and the U.S.—and organizations need to be prepared for this.
Mastering Data Flows in the Face of Uncertainty
In this age of data privacy, and until governments sort out federal regulations of their own, there will always be uncertainty surrounding international data flows. Regardless of what the future may hold, organizations need to be prepared so as not to disrupt their business. Here’s how:
- Know your data flow: Track and understand all the ways your organization’s data is transferred abroad, including where the data is going and in what direction it is flowing. Organizations also should monitor which data flows contain personal information and the technology used to transmit it.
- Create contractual defenses: As a first step, it’s critical to know who is receiving the data flowing between countries. From there, organizations should develop contracts with these recipients around data-sharing that will hold up to potential regulatory changes. If the data is staying within one organization but flowing globally, corporate rules should also be examined. Organizations should update contractual language or corporate policies regularly.
- Set internal rules: If data sharing is within the organization itself, then the binding corporate rules about information-sharing across borders need to be examined. Having the right language in place to guide cross-border data-sharing is the best safeguard an organization can put in place.
Organizations are now responsible and accountable for data privacy as a result of regulations. Regulatory change is widely anticipated to accelerate around data privacy and personal data protection—change that will be difficult to manage through silos or with manual processes that will be unsustainable as the volume of data and related regulation grows.
The organizations that adopt a more strategic approach—truly treating personal data as an asset and fostering a personal data culture built on collaboration—are nearly guaranteed to come out ahead. Organizations with this mindset will be better armed to ensure their international data can continue to flow effectively and that they can use it to thrive competitively.