-
Add to the discussion here!
I wanted to give credit to @maria-necita-geronimo for this question! We invite you to answer your thoughts below!
Again, here is the question: Recent changes in privacy laws in Europe and expanding globally to include the US are mandating that any service personnel with access to personal information (e.g. Health, Insurance, Financial, etc.) must be located in-country regardless of where and how the data is stored. For GBS organizations that leverage off-shore operations this appears to be a serious compliance issue for the near future. Are there solutions we can draw from across the GBS community on how companies are managing this?
-
This discussion was modified 2 months, 3 weeks ago by
ashleymartin.
-
This discussion was modified 2 months, 3 weeks ago by ashleymartin.
-
This discussion was modified 2 months, 3 weeks ago by
-
4 Replies
-
12
Gems
I will sometimes start with seeing what our ‘friend’ ChatGPT has to say about topics like this. Found the below reply interesting related to this question/challenge. Perhaps something in here to ‘double-click’ on.
1. Data Anonymization and Pseudonymization
- Anonymization: Transform personal data in such a way that individuals cannot be identified, even indirectly. Fully anonymized data is often not subject to data protection regulations.
- Pseudonymization: Replace identifiable information with pseudonyms, which can allow data to be processed outside the country as long as the key to re-identify individuals is kept separately and securely within the country.
2. Binding Corporate Rules (BCRs)
- BCRs: Develop and implement Binding Corporate Rules approved by the relevant data protection authorities. BCRs allow multinational companies to transfer personal data within the organization across borders in compliance with data protection regulations.
3. Standard Contractual Clauses (SCCs)
- SCCs: Use Standard Contractual Clauses approved by data protection authorities to legally transfer personal data to other countries. These clauses ensure that data protection measures are maintained.
4. Data Processing Agreements (DPAs)
- DPAs: Enter into Data Processing Agreements with third parties that stipulate compliance with local data protection laws, even if the data is processed outside the country.
5. Data Localization Exemptions
- Exemptions: Investigate whether specific exemptions or derogations apply to your industry or data processing activities. Some regulations provide exceptions for certain types of data transfers.
6. Explicit Consent
- User Consent: Obtain explicit consent from individuals for their data to be processed outside the country. Ensure that the consent is informed and documented.
7. Privacy Shield or Equivalent Frameworks
- Frameworks: Utilize international frameworks like the EU-U.S. Privacy Shield (or its successors) that facilitate the legal transfer of personal data between countries.
8. Technological Measures
- Encryption: Use strong encryption to protect data during transit and storage. If the data is encrypted, and the decryption keys are held within the local country, it may comply with data protection requirements.
- Remote Access: Allow remote access to data stored in the local country without physically transferring the data. Ensure that access controls and monitoring are robust.
9. Hybrid Cloud Solutions
- Hybrid Cloud: Use a hybrid cloud solution where sensitive personal data is stored in local data centers, and less sensitive data or anonymized data is processed in the cloud.
10. Data Minimization
- Minimization: Only transfer the minimum necessary amount of data required for processing. If possible, strip out any personal identifiers before transferring data out of the country.
11. Local Representatives
- Local Representation: Appoint local representatives or subsidiaries to handle data management and compliance. This can provide a legal basis for processing data outside the country while maintaining a local presence.
12. Regulatory Sandboxes
- Regulatory Sandboxes: Participate in regulatory sandbox programs offered by data protection authorities. These programs allow for the testing of innovative data processing solutions under regulatory supervision.
13. Third-Country Adequacy Decisions
- Adequacy Decisions: Check if the country where data will be processed has been deemed to have adequate data protection laws by the local data protection authority, allowing for easier data transfers.
By leveraging these strategies, companies can legally manage the requirement of having resources handling personal data to be located in the local country while still achieving operational flexibility. It is important to consult with legal experts to ensure compliance with specific local data protection laws and regulations.
-
11
Gems
Very good point GiGi. We have seen similar positions by different countries in the past, but this one seems to be more pervasive and deeper. One collateral question that comes to mind is how many (as %-age of a typical/medium GBS scope) these positions may be.
Definitely worth and important following the evolution here. Inevitably it will impact some industries more than others.
Thanks and my best, Filippo
-
83
Gems
There has indeed been some EU legislation following the GDPR suggesting that shared services workers who deal with the PII of EU citizens should be based in the EU. However, there is still a lot of confusion around this e.g. US companies have typically filed lawsuits around such stuff in the past for exceptions. Also certain countries – including the US have possible exceptions by self certifying under a “Data Privacy Framework” provision. Net – this is probably complex enough that it needs formal legal support.
-
2
Gems
Thanks for the information and insights, shared, Kip, Filippo and Tony. These are valuable and I can take this up for discussion internally. It would be interesting to see if any of our GBS practitioners have actually implemented any of the suggestions generated by our ChatGPT friend, @Kip . 🙂
Log in to reply.
