Ensure transfer risk assessment in data protection framework

Regardless of the global economic times we are in where companies exchange data on a massive scale, there is still the need for companies to ensure that they are doing the right thing when it comes to international transfers. It is very easy for most organisations to skip important steps when it comes to onboarding an international company. There are cases where companies engage processors in another country without assessing the privacy implications. This could be a breach of trust and shirking of regulatory demands and yet, most stakeholders overlook the importance of this, and these stakeholders do this out of either naivety or pure ignorance. In this article, I highlight some steps organisations need to consider.

First, it’s good to tease out the meaning of transfer. Transfer entails any processing activity – access, manipulation of data, and any activity surrounding that data.

Second, what is a Transfer Risk Assessment (TRA)?  It enables organisations to make transfers to international organisations and provides appropriate safeguards during transfers. The TRA is designed to assist companies when making complex transfers. For example, a company based in Belgium wants to employ the services of a third-party company in China to assist with their hotel booking services for staffs. This would mean that the Chinese company will have access to data sets of their European employees. Therefore, there needs to be a TRA carried out to understand the implication of this transfer and the underlying risks that needs to be mitigated.

There are some critical steps that organisations need to consider when carrying out a TRA. The first step is to assess the tool they would be using in this transfer. In our example above, the company will give access to the Chinese company to access staffs’ data through their portal. Since it’s an internal tool, they need to consider what type of access they will give to the Chinese company and how they can, from a technical perspective, limit what the Chinese company can access. This technical understanding would help eliminate doubts as to what the company can access.

There needs to be due diligence carried out as well, on the company. Stakeholders can send a list of questions to the vendor in China asking critical questions about their IT security policies and procedures, what type of training their staffs receive with regards to data management, and understanding the work environment. This would give an introspective purview into how the company as a whole treats physical security.

Another critical area is to ensure that the company understands the risk of harm to data subjects. Is it high, medium, or low? And more importantly, picture the worst-case scenario if anything happens to the data that has been transferred to the third-party company. The organisation must understand the category of data they will be sharing and understand the material risks and essentially mitigate these risks before embarking on any set of transfers. Plus, there are certain privacy implications that might be too heavy a burden – financially and reputationally – for the company, if the TRA is done inappropriately. Companies would do well to seek advice internally or externally before making international transfers.