The EU's General Data Protection Regulation (GDPR) is one of the strictest data privacy laws in the world. As GDPR enforcementintensifies and privacy laws conitnue to evolve, businesses must adapt quickly or face significant consequences.
Data protection and the global remediation of cross-border data transfers
GDPR compliance and enforcement has evolved significantly since its initiation, creating ongoing challenges for business. In 2020, the European Court of Justice (ECG) invalidated the EU-US Privacy Shield, a mechanism previously commonly used by US companies to transfer personal data from the EU.
The dismissal of the Privacy Shield created a significant challenge, forcing organisations to reassess their data transfer mechanisms to ensure GDPR compliance. Businesses have had to use alternative transfer mechanisms like voluntary Standard Contractual Clauses, while waiting on a more permanent solution for EU-US data transfers.
Non-compliance is not an option but companies face complex and evolving regulations around obtaining valid user consent and maintaing transparency in how personal data is used. 2021 saw a significant uptick in GDPR non-compliance fines. Tech giants like Amazon and WhatsApp have been hit with record-breaking fines ($887 million and $266 million), demonstrating this tougher stance from regulators.
As GDPR enforcement intensifies and privacy laws continue to evolve, businesses must adapt quickly or pay the price. This was the context when Avertim was enlisted by a major French bank to coordinate a project remedying cross-border data transfers of personal data at a global level.
Creating compliant cross-border data protection processes - Avertim's approach
Avertim's team was pivotal in formulating the group's data protection guidelines and their implementation across the banking infrastructure. A dedicated task force was established to respond to the evolving regulatory landscape and heightened calls for compliance.
" A key objective was to harmonize the bank's data protection initiatives across all entities and contribute to its overarching data management strategy" said Brieuc Balamba, Privacy Expert and Project Manager for GDPR Compliance, who worked on the project.
To do this, Avertim took on several critical roles, one of the most critical being the global coordination of cross-border data transfers.
The working methodology Avertim adopted for this data protection project.
Following the termination of the Privacy Shield, data transfers from the European Economic Area (EEA) were subject to Transfer Impact Assessment questionnaires (TIAs). A TIA is a type of risk assessment ensuring that personal data transferred outside of the EU is still protected in the way it needs to be protected under GDPR. They are complex and crucial - for example, in mid-2023 Meta was fined a record 1.2 billion euros ($1.3 billion) by Irland's Data Protection Commission because of the lack of appropriate transfer mechanisms.
Avertim ensured the effective completion of TIAs by the bank's entities, providing project management support for multiple suppliers. This involved facilitating remediationefforts and acting as a liaison between the entities and the Bank.
At the same time, Avertim took on the responsabilities of the project management office (PMO) and product owner (PO) for the Privacy User Journey framework. This document serves as a guide for project managers within the bank, detailing how to handle personal data during projects to ensure compliance with relevant data processing regulations.
Avertim also managed the Data Dictionary project, aiming to create a comprehensive reference data dictionary to establish shared definitions aligned with the GDP throughout the organisation.
On a day-to-day basis ,Avertim provided support for project management tasks and reported to senior management. They also prepared for project committees and executive committees, further ensuring the smooth operation of the project.
Standardised and updated data management - the project's key outcomes.
Avertim achieved updated documentation and processes, provided valuable recommendations, ensured compliance with mandatory legal requirements, and facilitated effective privacy risk assessment, all within the expected timeframe.
Some of the project outcomes include:
- Updated documentation and comprehensive technical process documentation
- Successful completion of 500+ Transfer Impact Assessment Questionnaires (TIAs) for top-tier suppliers
- Introduction of the Privacy User Journey framework, providing end-to-end guidelines for project managers and product owners on the appropriate use of personal data during projects
- Creation of a VBA-based privacy evaluation questionnaire including more than 200 questions to fully access privacy risks associated with data processing. This questionnaire facilitates the step-by-step implementation of privacy risk assessment methodology throughout a project's lifecycle ensuring effective risk management and compliance with data protection regulations.
Post-project client feedback
- The client expressed their satisfaction with Avertim's approach, work methodology, and adaptability in handling multiple subjects simultaneously, all of which resulted in timely delivery.
- The client particularly appreciated the dynamic atmosphere fostered within the team, enabled by Avertim's structure of two consultants (a manager and a senior consultant).
- The team's excellent collaboration fostered motivation and ultimately enhanced day-to-day project performance.
Implementing cross-border GDPR - Lessons learned
Cross-border data remediation, particularly in the context of GDPR, presents unique challenges.
1. One of the key takeaways is the importance of understanding the nuanced regulatory landscape. As different jurisdictions may have varying data protection laws, it's essential t ensure that data transfers are compliant with all relevant regulations.
2. Another is the significance of clear communication and cooperation among various entities involved in data transfers. Any cross-border data remediation project involves multiple stakeholders, and it's crucial to act as a bridge between these parties, facilitating remediation efforts and ensuring progress.
3. This type of project underscores the need for robust project management and reporting strategies. Regular updates to senior management and preparation for the project and executive committees can help keep everyone on the same page and ensure alignment with the organisation' overall data management strategy, especially crucial for international organisations.
As GDPR enforcementand privacy laws continue to evolve, businesses must adapt their processes or face expensive consequences. This project emphasized the tangible value of partnering with experts like those a Avertim, including enhanced data protection, regulatory compliance, and improved project management practices.
Want to learn more about cross-border data transfers and EU's General Data Protection Regulation?