A client recently asked me what I think are the biggest risks for companies regarding the GDPR. I had to think because the question requires a straight answer, and lawyer answers are rarely direct. The first answer is probably “it’s pretty risky not to know that the GDPR exists.” Brussels is not going to accept the “oh wait what is this?” defense. But even for a company that understands GDPR basics (data security by design, robust consent, transparency), the biggest concern I have is about data transfers – transfers from one company to another, and transfers from one country to another.
The Regulation is pretty clear on this subject. If you are going to transfer data to a third party, they must operate in a country with privacy laws that have been deemed “adequate” by the Commission, or there must be a formal, written agreement providing evidence of the company’s own compliance with central GDPR principles. You may be able to rely on the standard contractual clauses, but those are under judicial review, and they aren’t perfect either.
The reason transfers concern me is that the potential for inadvertent violations is so high. I’ll put it this way: you can have a good, even great, data security program in place, and you can be extremely careful about protecting your customer data and still be on the hook for millions if you don’t tread carefully when you let that data leave your possession or leave your country.
For instance, imagine that your company uses a North Carolina cloud storage service provider for data on your Dutch and Danish customers. The mere storage of that data in the US does not necessarily create an obligation for the service provider to be GDPR compliant (though there are other obligations that still have to be met). You’re probably safe. But what if the service provider says that they can review the data to help you identify which existing customers have made purchases in the US — all that needs to happen is the service provider will review and cross reference your customer data with another database already in its possession.
It seems like a no-brainer, right? Except if you agree, your service provider has now become a processor of EU citizen data, you have now “transferred” personal data to a processor outside of the European Union, and the US has been (rather emphatically) deemed a “non-adequate” state when it comes to data security. You’re on the hook for a GDPR violation.
This is why transfers are so vexing, because the GDPR seems to erect barriers to common-sense business practices like what I describe above. Yet at the same time, the GDPR’s goal isn’t to undermine common sense, but to make data security a central component of it. In other words, if maximizing data value is a given, so should protecting the people who generated that data.
The best way to make sure that data transfers don’t become a liability trap is to treat data transfers like a liability trap. Carefully examine every decision about where data will go to determine if you are inviting exposure. I often recommend that clients set up a decision tree where, if data will leave the country or leave the company, it requires approval from their data security/privacy oversight team (we’ll discuss those another time). And keep your lawyer on standby to review contracts with third parties to make sure that they comply with GDPR requirements (and, you know, that they’re not terrible contracts). That way, you’ll know, at the very least, that you’re approaching data transfers like someone who is datasmart.