Emerging from the fog: Creating a clear data transfer framework
With international litigation and regulatory investigations on the rise, cross-border data transfers have never been a more important — or challenging — topic. To figure out how best to transfer or access data between jurisdictions is to face the daunting potential conflict between U.S. e-discovery obligations and cross-border data restrictions in other countries. The regulations are quite broad but provide little practical guidance as to implementation. Missteps, however, can have serious ramifications, including potential criminal liability.
There are a number of approaches that companies can take to mitigate data protection risk. Some centralize all their data within so-called white-listed countries, and others opt to host and store everything in-country. Regardless of where a company stores its data, however, there will inevitably come a time when the company is forced to transfer data, including potentially personal data, across borders. With such great uncertainty and high stakes, it’s imperative to design and implement a proper governance approach to cross-border data transfers. Data minimization and transparency should underpin the program and matter close out should be seen as an opportunity rather than an oversight.
Designing a data transfer program and methodology
There’s no room for silos in an effective data transfer program. Setting up a global data governance strategy is inevitably a cooperative venture — as it should be. With the variety of different stakeholders that need to be present at the table, including IT personnel, data protection officers, data collection teams and actual on-the-ground, execution folks, there are bound to be competing priorities and negotiations. These are to be expected and welcomed. While an internal advisory board may be appropriate to bring together the relevant stakeholders to design and implement the governance program, external parties may also offer advice and audit the process.
Unfortunately, there’s no silver bullet or one “right” answer. Nevertheless, informed consensus among stakeholders is key. Presenting a golden plan and expecting all to abide by it without having the opportunity to add their input is a strategy that’s only bound to breed resentment, inefficiency and inconsistent implementation.
The Sedona Conference® International Principles on Discovery, Disclosure & Data Protection provide an excellent guide regarding the relevant issues and potential safeguards. At the core of a robust data transfer protocol — and one of the principles — is defensibility of process by being able to demonstrate the safeguards implemented, regardless of team continuity.