Privacy Beyond Checkmarks: Navigating Cross-Border Data Transfers

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everyone to the IAP Web Conference privacy Beyond check marks how to navigate crossb transfers sponsored today by security my name is Jordan Hardy programming and speaker specialist here at the IPP and I'll be your host for today's program we'll be getting started with the presentation in just a minute but before we do a few program details participating in today's Web Conference will automatically provide I certified privacy professionals who are the name registrant with one CPE credit I also want to let you know that a recording of this program will be available in your my PP portal under your my purchases if you just click on the title of the Web Conference um you'll see the recording of the video there and then the slides as well within about 48 hours please feel free to post any questions you have for the panelists in the Q&A area specifically at the bottom of the screen um and we're hoping to get to a couple of those at the end of the program now onto our program I'd like to introduce today's moderator ran Jalil CEO of security thank you all so much Jordan thank you so very much I'm so excited to actually do this panel such a such an important topic of the day I'm going to uh share my screen also while while we go through this uh uh panel so yeah I think we truly we we're living in this big bang era of data right we there's a massive growth of data and data is going you know in all kinds of clouds and staff services and you really have to understand exactly where the data is going to different parts of the world that's itself the growth of the data and its expansion uh across the globe in addition of course we more and more This Global Workforce remote work and people are actually across across the globe who can access uh this data um in addition of course we know there is a you know growing regulatory Frameworks across different parts of the uh the planet um and there's ever evolving uh landscape of regulations on the day sovereignty and crosswater laws that are coming out um and this is a very Dynamic environment where you actually have to understand um not only you know where the data is where the people can access it from what the laws are and old days of you know just getting some some kind of an assessment done on it getting some check mark uh is just not sufficient because this is such a uh you know fast moving kind of environment so in in that kind of a landscape uh there has to be not only good understanding of the law but good way to monitor the the data where is sitting uh where is it moving um and who's accessing it and how do you do that at any given time and understand that you're you're actually you know being responsible with the data sovereignty in uh crossb laws and we've seen this recently even in the media all kinds of um you know very political topics that are kind of revolving and arits I couldn't be more excited that we actually have uh strong set of panelists um who who are here to actually tell us how they see uh and how they actually um you know implementing in their own environment the the controls that need to be put in place uh so that you know crossb data laws are being U being honored so with that I'll make the introductions uh we have uh Jason Albert Jason raise your hand uh you'll actually have see probably the coolest panelist I mean he's some amazing place and it'll be a lot of fun J thank you so much for joining we have andyi from from Herz uh Andy uh I think you Andy is right there and uh we also have Joe from IPP um and Nicole uh from Baker hter and uh also we have S from AWS so thank you thank you so very much for being on the panel um I think maybe we should start with actually understanding of the the law itself um and because it's it's a topic that's kind of evolving I maybe first question I'll actually ask the panelist is that what are some of the key regulation requirements that organization keep in mind some things that is kind of more recent and more evolving and I think maybe I'll pass it on to Joe to give you a view on the you know current regulatory landscape around this topic thanks very much ran it's and it's great to be on this this panel so in terms of the regulatory landscape I'll start with Europe um and not just because I'm physically based in Europe because a lot of what we're seeing happen around the world uh has its origins in European data Privacy Law and here in Europe and in the EU specifically there there's essentially a de facto prohibition on transferring data internationally unless uh you put in place a Regulatory Compliance mechanism or there's there is a lawful data transfer mechanism in place some of those mechanisms are uh very well known uh data adequacy is one that often hits the headlines for privacy Professionals in part because of EU us negotiations that is arguably the most straightforward mechanism it's essentially a white listing of jurisdictions that meet the eu's data privacy test there are other mechanisms some are put in place contractually between a data exporter and a data importer and there are various derogations and exemptions consent is one example that you can rely on for data transfers so there are various uh modalities through which you can lawfully transfer data outside of Europe to a third country jurisdiction that model um has essentially been proliferating around the world the UK as a consequence of brexit has a very similar regime so to does Switzerland uh but as you look Beyond Europe there are many other countries around the world that have very similar uh regulatory Provisions they start from the position of prohibiting data transfers unless or until there is a lawful mechanism in place we have seen some movement to towards the design and delivery of these mechanisms over the past few years there's adequacy decisions between the EU and South Korea EU and Japan there is draft adequacy decision between the EU and the US I know we'll talk about that later but we have also seen some turbulence in this space and some disruption so of the two euus adequacy decisions we've seen uh in place both of which uh have fallen foul of the court of justice the court of justice of the EU has struck them down found them uh inadequate uh and so therefore we are where we are today which is where the EU and the US are are negotiating in the final stages in the 11th Hour of trying to put in place a new mechanism so that that's the European approach as I say it's proliferated around the world other countries it's importantly other countries take quite different approaches the United States does not have uh that starting position of restricting data transfers uh there are various other rules around uh consumer protections and the FTC act around trust and the consumer rights China has a similar but different approach their contractural Clauses are much more important they are much more complex as well uh and we are seeing more Regional and multilateral and plurilateral approaches to bring this together so that that that's kind of a 101 on the regulatory approach Joe thank thank you so very much uh nicool I'm sure you get a lot of questions based on your expertise uh it'll be great to actually hear from you uh what are top of Mind topics that you get a lot of questions about sure so I think um sort of picking up on where where Joe just left off as well we see the sort of types of localization really kind of falling into buckets these these ones where you really need to keep data in country ones where you can move data out of country but need to keep a copy in country and then these others that kind of fall under the the EU model of having standards that you can meet in order to move the data or permissions potentially that you need to seek for instance permission of a regulator so those are kind of the four buckets that you're dealing with and then I think we deal with a lot of questions too around onward transfers so for instance in the the scope of Europe you could move um for instance your your data from France to Canada but then what happens when you move it from Canada to the US or Japan to the US and just being able to track that data to know that there's even EU data in data that you might potentially be getting from another country is is where a lot of times we're trying to answer questions and trying to get the right answers to be able to to scope that and then I think the other piece that we really run into with a lot of the laws is whether they're applicable or not because the scope of territoriality and and things like that can vary quite drastically across a number of them so some of them are only applicable if you're processing in country or if you have an establishment in country others are um applicable if you have some sort of a link to the country for since you're offering goods or services you're monitoring the individuals the sort of European approach there some of them cover if you've agreed to a contract that puts you within scope of the law um and then others are are as broad as saying that you collected the data from a particular country or that it's collected from people within that country residents of the country or even citizens of the country and if you're collecting under a broad label of citizenship does that then follow people all over the place so it gets very complex to try to figure out what types of data you have in your flows and what laws they might be subject to so parsing that out I feel like is a lot of what we're trying to do right now to make sure that people are as as compliant as possible when you're moving these types of data in and I would also just mention that in terms of so there are a lot of restrictions for instance around um public sector data um private sector data where we see restrictions um in particular around localization Health Data financial data business records and then I would also say um telecoms probably the four the four big areas where we see a lot of restrictions on those and they don't always fall neatly within what we think of as your sort of comprehensive privacy laws a lot of them are under um other types of laws that might come into play so just a lot to kind of keep track of and I think that's that's probably the biggest questions that a lot of a lot of companies that are trying to operate in more than one country are dealing with well talking about that ADP global company like data is everywhere in addition to the regulatory framework which we have to honor I'm sure there's some you know company's internal policies internal desire to how they control the data being more responsible maybe go one One Step Beyond just what regulation is asking for just it'll be great to hear from you especially from the lens of ADP like what are the other things that could be that Beyond just the regulatory framework that you you you would have to deal with and how do you actually put that in place well that's a great question rahan because you know we are you know operating in more than 140 countries uh you know providing you know human Capital Management and payroll services to our clients and so we need to be able to comply with laws we need to enable our clients to meet their regulatory obligations and even beyond that right you know clients and trust us with some of their most sensitive data information about their employees about you know who they have and what they're paying them and how they manage them and so they're going to want that information protected even in the absence of Law and so what we've done at ADP is we built a comprehensive privacy programs we started actually with a foundation Based on data transfers right we have our approved set of binding corporate rules we actually have three sets we have uh binding corporate rules as a data processor to be able to you know uh receive data uh European data from our clients then you know transfer it to ADP uh offices uh and then we have two sets as a controller one for our business contact data and one for our own internal Associates or our employees and we've used those binding corporate rules as a basis to build a comprehensive uh privacy programs and then we tweaked those based on regulatory department so we had you know our EU program and then we have us program that we've just done a revamp of in light of uh the new LA California CPR we have programs in Latin America we're you know we're doing work in Canada and all these programs are common in the sense that they all focused on the same sort of things you know we have permissible purpose to process the data how do we control access to the data how do we enable clients to meet their individual rights requests obligations how do we purge data when when it's no longer needed and then you know they tweet for the particular requirements about notice and other things that you have to give employees and then beyond that we obviously try to help our clients uh by providing them information we issued them you know updates on regulations we tell them you may want to think about this or that right now in China with the new model contracts we're reaching out to companies to say you know we need to think about getting these in place so overall what we've done is we've taken the regulatory framework actually around data transfers and our binding corporate rules which are a detailed set of of requirements that we uh have gotten approved by the EU regulators and then use those to build a global privacy program to help meet those various requirements Jason thank thank you so much seems like an environment certainly requiring a lot of understanding of the law but also a lot of automation to understand the data and the movement and the access and all and we glad that we actually have all major companies here are have very strong Global presence so I'm sure they a strong VI sanep AWS very Global what's your thoughts on that yeah yeah so uh so so thanks for uh having me as part of the panel uh we sort of have a very unique perspective um and and my role specifically with working with the Global Financial institutes sort of lends itself to these complex challenges that that Jason is talking that that others have started uh disc discing uh customers uh when they move to AWS to a cloud provider they're seeking explicit guidance that's not you know it's all it's all interpretation it's all still being worked on and and our role as as compliance Specialists or compliance organization supporting customers is how do they think about a global workload that's sitting within their data centers as an example when they start to think about that in a cloud-based deployment what are their obligations as a customer in terms of where the data needs needs to reside and some of that is just introducing a lot of complexity which you know if we think about Cloud deployment and we're starting to think about Innovation and doing things more simply if there are jurisdictional requirements that they have to meet for that Global workload that has EU data and you know EU countries data and has us data or you know has APAC specific countries APAC as a we think of APAC as a region but you know really it's 17 18 20 different countries that have specific laws on the book appropriate for their country and in each of those cases if there is a localization requirement or you know data cannot leave the boundary or ex data cannot leave the boundary our role is to really help the customers in navigating those those requirements because the last thing the these institutes want is to be on on Wall Street Journal or a reputational risk as they they're continuing their journey to to Cloud enablement so our role is unique and and we really help uh customers see sort of how they can uh continue to do these deployments migrations in a compliant manner that's awesome um I think a quick message to the attendees that if you have any questions please feel free to type it in the in the Q&A section um I think between this discussion some of the panel may be able to answer the question in real time and we will definitely leave some room towards the end and if you can get to all the questions we'll try to reach out and try to address those questions so please making this interactive is going to be a lot more fun U one sorry rean just to to jump in I noticed that we got one question that might be useful to level set on before we move on and it's the the question yeah what is considered a transfer of data or what does a transfer mean and does that include um access and is there a sort of common definition I I think that the definition varies somewhat um clearly access is uh part of a transfer in accordance with what the EU standards are at this point and I would say to the extent that you're looking for a common definition that could be used globally including access as part of transfer um is is probably the safest route to go there or the you know the one that would probably hit the most I don't know if anybody else wants to add to that yeah look I I would just totally agree with uh with that and the edpb so the group of uh European data privacy Regulators issued some guidance uh earlier this month late last month on what exactly that question what is a transfer I mean specifically they were looking at what is a transfer in the context of the the gdpr having extra territorial application so there will be scenarios where one entity is covered by the gdpr in multiple countries outside of Europe uh and in what circumstances is it necessary to put in place the data transfer mechanism even though you're already covered by the gdpr uh so there are various helpful use cases and case studies where the edpb essentially says covered or not covered by the gdpr and covered or not covered by the data transfer requirements awesome it's great to make it interactive thanks Nicole thanks Joe so for that reason for more reason the panelists to provide value to you the attendees uh so let keep the questions flowing we will pick those up some will be just answered the side panel so okay now we understand a bit like okay this is a complex regulatory landscape now within an organization and you're all part of some some of some of the biggest organizations on the planet how do you prepare you know yourself for these requirements how do you Scope the program or understand even the data footprint and what is the right course of action to actually take understand the ACC patterns that may be going on on this data how do you put this plan and put that to action it'll be it'll be great to actually talk about it and Jon I think you you rooted to especially the kind of footprint that your organization has it' be great to actually hear from you how you put this actually programming in place yeah so you know obviously what we do is we you know have you know privacy stewards that are embedded in each of our business units and so they really understand their business that the client base the the product offerings and then we try to understand right where are you doing business because some of our products right are designed for Ser to use in some countries but people may put data from other countries in them so what is the footprint there and then what do you need to be in scope for their program and then for each program we have a set of requirements like you have to you know have done training with people who might get data access requests in California you have to you know have a process for you know responding to IR requests that come from clients and then what we do is we make sure that the progress is put in place we make sure that it's documented um that you know then goes through a set of approvals that it meets the obligations of the program and so meets the legal obligations and then we go through every year and we do a compliance check-in or test or attestation process all right do you still have these in place uh how do you feel you are in relation to these are there anything things we need to look at so that you know compliance is not a is not a one-time activity and then you know so that's how we operationalize it from the Privacy side and then of course now we're working with our chief data office on on some increased autom automization of data detection all right what data do we have where is it how does it flow how do we see a person's data across uh different aspects and so that will allow us to perhaps automate more our response to irrs help us understand uh data flows uh better and and of course you know uh there various tools that could be used used for for that but obviously the the you know the the tool that your company provides security is is one that really you really helps with us and I think it's always going to be those combination things there going to be combination some automated Discovery so you don't miss things and then working with people who understand the business and make sure that the business drives compliance as opposed to it being just from some external office [Music]

Info

Channel: Securiti

Views: 30

Rating: undefined out of 5

Keywords: Cross-Border Data, Data Privacy, GDPR Compliance, Data Protection, Multi-Cloud Environments, Data Security, personal development, the 48 laws of power, law 25 re-create yourself

Id: DbQ_LwtTTek

Channel Id: undefined

Length: 21min 21sec (1281 seconds)

Published: Fri Jun 28 2024