Thoughts on international transfers
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There are many questions raised about the international transfers of data. Stakeholders ask two main questions.
How a company can ensure that recipient of this data is compliant with data protection laws and more specifically how does one ensure that the supplier or vendor will follow the stipulated data protection framework of the data controller?
The Nigerian Data Protection Regulation (NDPR) answers these questions. However, stakeholders in data controlling and data processing companies are still confused. As such, this article highlights the best approaches to ensure the best that cross border transfer approach.
There are three things that a company must pay attention to according to the data protection regulation when considering an international transfer.
The first one bothers on a critical aspect. The company should be asking questions whether the country where they are sending data to has safeguard measures and technical abilities to manage data i.e. encryptions, security policies etc. Technical abilities is much more than reading privacy policies. It is also ensuring that you, as the sending party, prepare some questions and ask the stakeholders in the recipient the right questions. These questions can help you gauge whether or not you should transfer data. .
You should be wary about the existing political terrain in the country where you are sending the data. If for example, there is no attention to the rights and freedom of individuals in that particular country, then there will be existing risks in sending data to that country. It is only obvious that the country would not treat the data of your customers well. Paying attention to the political and economic factors plays an important role before a transfer is triggered.
After the company has covered the economic and political factor, then you want to understand whether the data subject has given you the right to share data to the international company. And more importantly, if you have ensured that the transfer is for you to carry out contractual obligations or performance of a service. The onus, therefore, is on you to ensure that you have clearly stated in your customer-facing privacy policy how data will be shared and to who will have access to their data. This principle guarantees transparency and lets the customer understand that you pay attention to organisational and technical measures when it comes to taking care of their data. You will be amiss if you don’t put these things into consideration as they will expose you to a potential data breach.
Internally, you need to ensure that your staffs understand the principles of sharing data on the international scale. They must understand the implications of sharing data and the responsibilities required in sharing this data and how to manage the data. Training, as I have said in other articles, plays an important part of data protection schemes and this should be consistent. With the aspect of international data transfers, it is only important that the company have the right person.
When transferring the company must consider the security protocols of the transfer. It is a known fact that during transfer, hackers prowl sockets and data can fall onto the hands of unscrupulous elements. Therefore, the company would put into consideration their transfer methodologies and asking the right questions about whether or not they are using the right transfer mechanisms. Because data transferred over the internet operate in layer sockets, it is safe to say that the chief privacy officer or chief privacy officers have to carry out their due diligence to ensure that the existing socket has the right security details.
These are not exhaustive methods, and depending on the service delivered, there are different approaches to international transfer. Companies must understand the implications of transferring data to service providers outside Nigeria and how to do it properly. To avoid exposure to breaches, companies should test their international transfer systems, find the risks and mitigate them immediately.