By Andrew Sharp
Many organisations have sought to centralise system management, deploying a single HR solution, a single customer relationship management solution, a single e-commerce solution and other core business systems where a global view of data and a central administration team are helpful in achieving consistency and economies of scale. These systems are frequently managed, and in some cases also operated, by shared services teams. Whilst this approach gives those shared service teams a full view of the data within the organisation from which to gain insight, and economies of scale in supporting similar operations in different territories, it also involves transferring personal data outside the countries where it was gathered, meaning additional privacy controls need to be considered.
A common approach to the implementation of privacy controls in multinational organisations has been to regard Europe’s GDPR as a standard privacy model, deploying the same controls in other territories. The emergence of privacy laws with different controls over international data transfers, such as the PIPL in China, brings a need to rethink this centralised approach and to implement additional local privacy controls, creating a hybrid, federal privacy model with overarching principles and local variations in controls.
Whereas GDPR allows international transfers with appropriate safeguards which can be deployed for the entire process, typically standard contractual clauses, PIPL not only sets out similar conditions to be met before personal data may be transferred outside China, but also requires that the individual has given their consent. The draft data protection bill in India has similar consent provisions. The challenge for organisations operating in these countries, therefore, is to consider how transfers to shared services teams can be avoided if consent is not forthcoming. The convenience of shared services for the organisation must be balanced against the right of the individual to have their data used in their home country and the possible benefits to the individual from international transfers.
There will be cases where an international transfer has a clear benefit to the individual and consent should then be sought. One such scenario is an international retail or service business where a customer will want staff to be able to access their records at any location worldwide. The benefits of the transfer should be explained to the customer and their consent to centralise the information can then be sought.
Avoiding centralisation as the default, whilst accessing information when requested, will mean making significant changes to the centralised shared service model.
Five critical questions for privacy teams to consider
In reviewing the delivery of shared services, organisations will need to consider whether a more federated approach can deliver most of the benefits of centralisation, including common software standards, centralised management and aggregated insights.
- Can we localise hosting of data and access to that data in territories requiring consent for international transfers? This would involve deploying local instances of core systems and local service teams to operate those systems.
- Can we continue central administration of software? This would involve security controls permitting a centralised team to manage software without being able to access any personal data.
- Can we anonymise information to be centralised and used to derive insights into operational performance of shared service teams? This would involve anonymising data locally before centralising it for analysis and insight.
- Are there cases where the individual benefits from transfer of their data, so consent must be sought? This would involve identifying an appropriate mechanism to capture that additional consent.
- How will we access information outside the individual’s home country when requested? This could involve enabling remote access to records where consent has been given, or could involve central storage of data where consent has been given.
Supporting colleagues in adapting to limitations on international transfers will be a challenging task for privacy teams, demanding an understanding of the international transfer requirements in each territory, the applicable regulatory frameworks and the ability to translate that knowledge into guidance for systems architecture teams designing changed deployment of shared services. Securys does this for its clients and offers services to support the mapping of data flows and the selection of appropriate privacy controls.
To more read about the webinar "about our international data series, our regular panellists were joined by industry expert Isabelle Roccia, Managing Director, IAPP Europe and Thanas Loli, Chief Privacy Officer, Northern Trust Corporation"
Click here :https://www.securys.co.uk/webinar-brexit-adequacy-and-international-data-transfers-the-next-chapter?hsLang=en-gb