Why Time Is Finally Up For Professional Firms Ignoring Data Transfer Compliance
On Monday the 22nd of May news broke of the record breaking €1.2 billion fine over EU-US data transfers on the Facebook platform, the biggest such penalty ever given by the block.
The ruling that Meta (Facebook), whose EU headquarter is in Dublin, had broken rules requiring that transfers of personal data from the EU to the US had appropriate safeguards. Changes introduced by Meta Ireland in response to a 2020 ruling by the European Court of Justice “did not address the risks to the fundamental rights and freedoms” of such transfers; even though the transfers largely took place on the basis of contractual clauses endorsed by the European Commission.
“One of the purposes of the (size of) the figure is to serve as a warning to other companies about how they handle international data transfers”
Mark Deem, partner at law firm Wiggin
While technology firms like Amazon and Meta have been the focus of large European fines, it’s inevitable that other industries will also receive focus.
The European Commission and each member states’ Data Protection Commissioner will be studying firms that hold a lot of data about their clients and operate in a multi-jurisdictional basis. Inevitably this means that large professional service firms will begin to face scrutiny.
The risk is less likely to be how firms manage their own data
Most large firms have undertaken a rigorous process of looking at where their data is stored to ensure compliance with GDPR. Since this ruling many firms Data and Security teams will be undertaking a new review of their data storage and transfer policies: it’s likely that 3rd party access to their data is going to be the biggest risk.
For many firms the biggest risk has to be how 3rd parties might be transferring their client data.
As client databases have grown in importance to firms marketing and management teams, so too have the requirements to manage the quality and enrich the data held about clients. A whole industry has sprung up to solve data quality issues. Broadly these data quality solutions fall into 3 categories:
Outsourced data stewardship – with 3rd party individuals checking, fixing and adding to the data
Outsourced data enrichment – with 3rd party’s appending data to a clients database
On site data cleaning and enrichment (automated or in person)
The first two categories (Outsourced Data Stewardship and Outsourced Data Enrichment) typically involve 3rd parties accessing databases or being sent data to undertake their data cleaning or enrichment service. Often staff undertaking Data Quality work are based in a different (cheaper) jurisdiction. Data transfer between countries, particularly the EU/US could well happen without the client even being aware.
In the light of the EU judgment, if data quality / enrichment services are being used by your firm it would be very prudent to check if you are inadvertently putting yourself at risk of a data compliance breach.
Clearly if a consultant is based in your firms office or automatic cleaning software is installed on your firms infrastructure then the risk of data unknowingly flowing between jurisdictions is removed.