Andrew Priest on Cross-Border Data Protection, Privacy, and Compliance: Challenges and Solutions
Date Posted:
Reading Time:
Data flows freely today across borders and jurisdictions — or does it? In reality, the laws and regulations surrounding data protection, privacy, and compliance have become a global maze that’s difficult to navigate.
Fortunately, Dan Haagman, CEO of Chaleit, had a valuable conversation on this topic with Andrew Priest, Partner at Birketts LLP. As a seasoned expert in the field, Andrew shared important lessons for making sense of the data labyrinth.
The conversation explored the challenges of the global data protection landscape, fundamental principles to uphold, misconceptions around data transfers, documentation pitfalls, and the need to raise the bar beyond minimum compliance.
Watch the chat and read the takeaways below to learn how to safely move through the data “minefield” and “do the right thing” in a highly complex environment.
It's quite a minefield to establish which laws you must comply with. And unfortunately, there are no easy answers to these things.
Striving for core data protection principles
Data protection laws have traditionally been specific to countries or regions. For instance, the UK has had data protection laws since 1998, and the EU’s regulations date back even further.
However, in today’s interconnected world, where data flows globally across businesses and individuals, having different regulations in different jurisdictions creates major challenges.
Andrew notes that while some countries have robust data protection rules, others have very limited safeguards in place. This patchwork of laws makes it extremely complicated to determine which rules a global company must comply with.
“It’s quite a minefield to establish which laws you must comply with. And unfortunately, there are no easy answers to these things,” he emphasises.
How can organisations make sense of this complex landscape? Andrew explains that law firms like Birketts aim to uphold certain fundamental data protection principles, even in jurisdictions without comprehensive legislation. These include lawfully and fairly treating data, being transparent about its use, using it only for specified purposes, and retaining it for only as long as needed.
Complying with those core principles creates a sort of standard of data protection and privacy.
However, Andrew acknowledges that getting all parties on board with prioritising these principles can be challenging when data protection is new to them.
In this context, explaining the underlying reasons for data protection rules, which ultimately aim to safeguard privacy, becomes essential. “We have to think from an individual’s point of view, ensuring data protection because if not, cyber security threats can arise, making people’s lives very difficult,” he says.
Our starting point is always understanding data flows. Sometimes clients need to go away and figure out where their data is going before we can advise them properly.
The nuances of data transfer and residency
Data transfer is another complex issue, especially with cloud technology and remote work. Andrew explains that even accessing data from another country can constitute a data transfer, further complicating compliance. This nuanced interpretation creates immense due diligence requirements for global companies.
The complexity increases with the involvement of supply chains. Andrew emphasises the importance of understanding data flows within a project, including those involving third-party providers: “Our starting point is always understanding data flows. Sometimes clients need to go away and figure out where their data is going before we can advise them properly.”
“Data residency becomes a question of whether data is saved in a new location. Accessing it remotely might not change its residency status, but it depends on the specifics,” Andrew explains. Understanding these nuances is crucial for organisations operating across multiple jurisdictions.
It’s often difficult to get full visibility, he says but stresses that the data controller is responsible for knowing where that data is at all times.
You need someone within the organisation to look at data protection from a practical perspective, not just trying to get the contract signed.
The data controller dilemma
One significant point of confusion is the distinction between data processors and data controllers. While data processors handle data on behalf of controllers, many organisations fear the obligations and liabilities associated with being a data controller.
“There’s a reluctance to take on the role of data controller due to the significant obligations and potential fines for non-compliance,” Andrew says.
He advises working closely with data controllers to establish appropriate protections without necessarily taking on the controller role.
Part of the struggle, Andrew says, is that data protection compliance can become an overly documentation-driven check-box exercise. It’s very easy to put documentation in place: people sign it and then move on without thinking about what this means in practical terms, he explains.
“You need someone within the organisation to look at data protection from a practical perspective, not just trying to get the contract signed,” Andrew emphasises. This focus ensures that security measures are genuinely in place rather than merely documented.
The future of data protection
Looking ahead, Andrew is optimistic about increasing global harmonisation and cooperation on data protection principles and enforcement, with the GDPR framework being viewed as a “gold standard” to work towards.
He expects the currently fragmented U.S. state-by-state approach to consolidate into overarching federal legislation akin to GDPR. India’s new data protection laws are also a positive step.
Andrew believes that increased cooperation between regulatory authorities worldwide will lead to more consistent and effective data protection practices.
Overall, he sees data protection as an area of constant evolution and challenges, but one where striving for universal best practices will benefit global enterprises and individual privacy alike. As he states, “Data protection is never going to be perfect. And there are always going to be challenges.”
Is your organisation truly protecting data across all jurisdictions? Information security is not just an IT issue but should be abusiness-wide function.
If you need expert guidance on navigating the data protection maze, contact us. Our team has decades of combined experience helping organisations meet the high bar for data privacy no matter where data travels.