International Data Transfers
We provide a comprehensive service that ensures data subject rights are protected whilst keeping data flowing and risks minimised.
We map all your data flows, identifying where data is transferred, which partners are involved, what business process is being served and what the risks really are.
We review the mapped flows to ensure that the appropriate paperwork and supporting reasoning is in place across all of the data protection regimes that apply.
We check that you have the right safeguards in place and that they are being applied correctly. This includes comprehensive audit of your supply chain for security and compliance.
Sometimes doing less is the best answer. We will help you find ways to reduce what is being transferred, or to transform identifiable data into aggregated or anonymised information without reducing business effectiveness.
Whether you are responding to a regulator, a supply-chain partner, a customer or a data subject we will be there to support you, ensuring that each party receives the right information at the right time in the right format.
Proper compliance requires continuous vigilance, both to ensure that the defined policies and procedures are being followed and to check that supply chain partners are meeting their obligations. Let us take the strain.
Working in conjunction with your privacy office, we undertake a detailed review of your existing practices to identify and map your existing data transfers. For each transfer we review the lawful basis, the required compliance paperwork and the supply chain; we also work with you to map the flow against your business processes to understand the underlying requirement and the operational goal.
We deliver a comprehensive report quantifying transfer risks and giving detailed remediation recommendations.
Working from our audit report we implement the recommended recommendations in direct partnership with the relevant business unit and your privacy and infosec teams. The work ranges from contract review and the implementation of appropriate data protection clauses through to technical risk mitigation and process change.
Remediation is delivered on a risk-prioritised basis that combines rapid treatment with ongoing knowledge transfer.
Compliance is a continuous process. We embed within your organisation to provide an ongoing support service, helping identify and legitimise new transfers and address changes to existing processes. We establish and operate a routine review process to monitor both internal and supply chain compliance.
We work with your privacy and infosec functions to deliver integrated business support and timely governance reporting.
Throughout our work we are always looking for ways that data protection can be leveraged to improve business processes and simplify your compliance regime.
This can include reducing what is being transferred, aggregating data so that it is no longer identifiable, using privacy enhancing technologies or changing the location of selected processing. In all cases we work hand in hand with business units to ensure that the outcome benefits both the data subject and the bottom line.
We work globally as a specialised privacy consultancy in more than 50 markets. Our clients include some of the largest global firms in their sectors.
Data privacy is an increasingly important aspect of governance as both populations and governments focus their attention on a corporation’s responsibilities in a social context.
We have practical on-the-ground experience in most of the world’s privacy regimes and know where to look for the conflicts between them.
We bring global experience of data privacy and information security assessment and remediation from multiple sectors and perspectives, as well as a formidable array of certifications across a culturally diverse team.
Our approach is strategic, risk-driven, forward looking, positive and practical – our recommendations are not theoretical or academic interpretations, they are implementable plans.
.jpg?width=300&name=why-proven(2).jpg)
Continuously evolving tools including privacy benchmarking, comprehensive audit and discovery tools with risk-scoring and flow through to dashboard and recommendations.
We are not a law firm, but we employ lawyers. We’re not a cybersecurity business but our staff qualifications include CISSP and CISA. We’re not selling a one-size-fits-all tech product, but we’ve built proprietary tools and techniques that work with the class-leading GRC products to simplify and streamline the hardest tasks in assuring privacy.
We’re corporate members of the IAPP, and all our consultants are required to obtain one or more IAPP certifications. We’re ISO 27701 and 27001-certified and have a comprehensive set of policies and frameworks to help our clients achieve and maintain certification. Above all, our relentless focus is on practical operational delivery of effective data privacy for all your stakeholders.
We have included below several examples of recent projects to illustrate the ways in which we provide practical advice to support our clients.
China and Data Transfers
Client: Global luxury goods brand
Overview: Review of data transfers from China and advice on compliance with new legislation controlling transfers of personal data outside China.
Objective: Review the privacy and operational implications of the restrictions on transferring personal data out of China, implement appropriate privacy controls.
Solution: Securys worked with the customer experience and IT teams to understand the existing systems landscape and the data transfers involved in client relationship management and retail sales, which relied on centralised retail, e-commerce and CRM systems and integration to local communication and sales channels. Securys then advised on technology requirements for a localised platform and privacy control options which met the need to localise data, to continue to gain centralised insight from transactions and to offer Chinese customers travelling outside China the option of personalised service at any store worldwide. We continue to work with the teams to provide privacy-by-design support for the chosen solution.
We continue to work with the privacy office team to provide ongoing privacy advice.
Data transfers to the US
Client: Leading diversified global wealth management and investment banking company.
Overview: Review of data transfers from the UK and EU to the US alongside a through and detailed review of employee and customer privacy.
Objective: Following the Schrems II judgment which invalidated the EU-US Privacy Shield, there was a need to interrogate all transfers to the US. We treated these on a case-by-case basis to fully assess each transfer, considering specifically the mitigation of surveillance risk.
Solution: Securys undertook a thorough and detailed audit of employee and customer privacy across the UK and EMEA. Amongst our other activities, this involved interviewing key personnel and reviewing relevant documentation. This process allowed all transfers to the US to be identified and properly assessed. We provided a summary report that highlighted areas of best practice along with practicable implementable solutions for areas where improvement was required.
We continue to work with the privacy office team to provide ongoing support.
United Kingdom
Jamaica
India