International Data Transfers

International Data Transfers

Finding the balance

We provide a comprehensive service that ensures data subject rights are protected whilst keeping data flowing and risks minimised.

Back to top

Data flows are global

Whether you have direct operations abroad, contract with third-party providers or merely use cloud services or internet advertising, almost all businesses transfer personal data internationally.

The laws and regulations governing these transfers are constantly changing. It's not just about the GDPR and flows between Europe and the US; more than 130 countries have data protection rules that apply to transfers.

You need to understand how data flows around your enterprise and within your supply chain. You need to work out which rules apply to you; most data protection regulation is extra-territorial, meaning that it applies to data belonging to residents of a country irrespective of where that data is processed or by whom. You have to show that you put data subjects' interests first and that you've taken the right steps to protect them.

At the same time you need to get on with doing business. Transfers of data between countries remain essential to efficient business operations, so you need a practical approach that doesn't stop you working.

Act now and talk to us today

Benefits of our service

  • Mitigate compliance risk
  • Manage reputational risk from a fine or enforcement action
  • Detailed and in-depth knowledge and understanding of different regulatory regimes globally
  • Knowledge from working with clients across 50+ countries globally
  • Practical advice tailored to the needs of your organisation

How you can meet the challenge

Effective legitimisation of international transfers includes technical measures like encryption or pseudonymisation; effective information security policies and procedures; practical steps such as minimisation or localisation of selected data; and of course effective oversight and control of your supply chain.

There is an ever-increasing volume of paperwork, from data processing agreements with specified clauses through transfer risk assessments and data protection impact assessments to selection and documentation of appropriate lawful bases for the transfer.

You need not only to understand, quantify and treat transfer risk, but also be ready to demonstrate your compliance to regulators. Do you have the resources to do all of this and still keep on top of your other business and data protection duties?

As well as satisfying regulators, you also need to keep data subjects informed. In some cases you may need to obtain their consent. The information you provide must be compatible with their local law as well as your governing regulations, and must be presented in a form they can understand.

A long written privacy notice in legal English is no longer adequate. You should consider layered notices, use of video and infographics and contextual privacy information. All of this also takes time and needs specialist support.

Your business units need to understand their obligations - and your proposed risk treatments need to meet their business needs. Your risk function and your board must be kept up-to-date - and regulators will want to see that you have effective governance, including audit and routine review.

How we can help

Data flow mapping icon

Data flow mapping

We map all your data flows, identifying where data is transferred, which partners are involved, what business process is being served and what the risks really are.

Regulatory compliance icon

Regulatory compliance

We review the mapped flows to ensure that the appropriate paperwork and supporting reasoning is in place across all of the data protection regimes that apply.

Safeguards icon


We check that you have the right safeguards in place and that they are being applied correctly. This includes comprehensive audit of your supply chain for security and compliance.

Simplification icon


Sometimes doing less is the best answer. We will help you find ways to reduce what is being transferred, or to transform identifiable data into aggregated or anonymised information without reducing business effectiveness.

Assistance and support icon

Assistance and support

Whether you are responding to a regulator, a supply-chain partner, a customer or a data subject we will be there to support you, ensuring that each party receives the right information at the right time in the right format. 

Audit and assurance icon

Audit and assurance

Proper compliance requires continuous vigilance, both to ensure that the defined policies and procedures are being followed and to check that supply chain partners are meeting their obligations. Let us take the strain.

What do we offer?


1. Audit

Working in conjunction with your privacy office, we undertake a detailed review of your existing practices to identify and map your existing data transfers. For each transfer we review the lawful basis, the required compliance paperwork and the supply chain; we also work with you to map the flow against your business processes to understand the underlying requirement and the operational goal.

We deliver a comprehensive report quantifying transfer risks and giving detailed remediation recommendations.


2. Remediation

Working from our audit report we implement the recommended recommendations in direct partnership with the relevant business unit and your privacy and infosec teams. The work ranges from contract review and the implementation of appropriate data protection clauses through to technical risk mitigation and process change.

Remediation is delivered on a risk-prioritised basis that combines rapid treatment with ongoing knowledge transfer.


3. Maintenance

Compliance is a continuous process. We embed within your organisation to provide an ongoing support service, helping identify and legitimise new transfers and address changes to existing processes. We establish and operate a routine review process to monitor both internal and supply chain compliance.

We work with your privacy and infosec functions to deliver integrated business support and timely governance reporting.

Added Value

Throughout our work we are always looking for ways that data protection can be leveraged to improve business processes and simplify your compliance regime.

This can include reducing what is being transferred, aggregating data so that it is no longer identifiable, using privacy enhancing technologies or changing the location of selected processing. In all cases we work hand in hand with business units to ensure that the outcome benefits both the data subject and the bottom line.

Why Securys?



We work globally as a specialised privacy consultancy in more than 50 markets. Our clients include some of the largest global firms in their sectors.



Data privacy is an increasingly important aspect of governance as both populations and governments focus their attention on a corporation’s responsibilities in a social context.



We have practical on-the-ground experience in most of the world’s privacy regimes and know where to look for the conflicts between them.



We bring global experience of data privacy and information security assessment and remediation from multiple sectors and perspectives, as well as a formidable array of certifications across a culturally diverse team.



Our approach is strategic, risk-driven, forward looking, positive and practical – our recommendations are not theoretical or academic interpretations, they are implementable plans.



Continuously evolving tools including privacy benchmarking, comprehensive audit and discovery tools with risk-scoring and flow through to dashboard and recommendations.

About Securys

A specialist data privacy consultancy with a difference

A specialist data privacy consultancy with a difference

We are not a law firm, but we employ lawyers. We’re not a cybersecurity business but our staff qualifications include CISSP and CISA. We’re not selling a one-size-fits-all tech product, but we’ve built proprietary tools and techniques that work with the class-leading GRC products to simplify and streamline the hardest tasks in assuring privacy.

Certified and accredited

Certified and accredited

We’re corporate members of the IAPP, and all our consultants are required to obtain one or more IAPP certifications. We’re ISO 27701 and  27001-certified and have a comprehensive set of policies and frameworks to help our clients achieve and maintain certification. Above all, our relentless focus is on practical operational delivery of effective data privacy for all your stakeholders.

Case studies

We have included below several examples of recent projects to illustrate the ways in which we provide practical advice to support our clients.

China and Data Transfers

China and data transfers

Client: Global luxury goods brand

Overview: Review of data transfers from China and advice on compliance with new legislation controlling transfers of personal data outside China.

Objective: Review the privacy and operational implications of the restrictions on transferring personal data out of China, implement appropriate privacy controls.

Solution: Securys worked with the customer experience and IT teams to understand the existing systems landscape and the data transfers involved in client relationship management and retail sales, which relied on centralised retail, e-commerce and CRM systems and integration to local communication and sales channels. Securys then advised on technology requirements for a localised platform and privacy control options which met the need to localise data, to continue to gain centralised insight from transactions and to offer Chinese customers travelling outside China the option of personalised service at any store worldwide. We continue to work with the teams to provide privacy-by-design support for the chosen solution.

We continue to work with the privacy office team to provide ongoing privacy advice.

Data transfers to the US


Client: Leading diversified global wealth management and investment banking company. 

Overview: Review of data transfers from the UK and EU to the US alongside a through and detailed review of employee and customer privacy. 

Objective: Following the Schrems II judgment which invalidated the EU-US Privacy Shield, there was a need to interrogate all transfers to the US. We treated these on a case-by-case basis to fully assess each transfer, considering specifically the mitigation of surveillance risk. 

Solution: Securys undertook a thorough and detailed audit of employee and customer privacy across the UK and EMEA. Amongst our other activities, this involved interviewing key personnel and reviewing relevant documentation. This process allowed all transfers to the US to be identified and properly assessed. We provided a summary report that highlighted areas of best practice along with practicable implementable solutions for areas where improvement was required. 

We continue to work with the privacy office team to provide ongoing support. 

Act now and speak to us about international data transfers.

Start a conversation about how our international data transfer service can benefit your business. You can also find out more about how to become involved in our research.

Back to top