Contents

Issue 12 - The Culture Club

Navigating Data Privacy Rules Across Borders

Background

When the General Data Protection Regulation (GDPR) first came into force in May 2018, it sent shockwaves across the web that is our digitally connected, globalised economy.

It’s not that GDPR came as a surprise. In fact, it had been in the works for some time and was adopted by the EU in 2016, giving organisations a whole two years to prepare.

But it’s not often the ripple effects of new regulations in one part of the world have such far-reaching implications for business operations in so many other parts of the world – where failure to comply comes with hefty penalties and fines of up to €20 million or 4% of global revenue (whichever is greater).

As of May 2021, EY Global reported over 500 actions had been taken against non-compliant companies and over €260 million in fines had been levied.

In the wake of the trail blazed by GDPR, many countries, states and regions around the world have implemented or updated their own data privacy and protection laws. More than just ‘the right thing to do’, it was either that or lose out on business from some of the world’s most affluent economies if they didn’t offer a legal framework providing a similar level of protection.

The protection offered by GDPR travels with the data, regardless of where the data lands. That means there needs to be a way to enforce the rules as data is transferred across borders. In practice, there are now hundreds of localised versions of GDPR to contend with for companies that do business globally, making for a complicated legal landscape to navigate.

So what does this mean for global bid teams and your cloud-based productivity and proposal software?

In the era of remote working, it feels like the world has become somewhat smaller. We’re all more connected now than ever before, just a chat message or video call away.

What you might not realise is that you’re probably entrusting personal information to cloud-based software providers when you’re collaborating on proposals across borders – even if the extent of that information is just a name, email address, phone number, and a place of work. All this information together would be considered personal data because it’s enough to identify an individual person.

With the cloud, it can be a bit blurry and unclear where this personal data is being transferred to and how it is being stored. It could be on any number of different servers in different parts of the world. The data could also be subject to GDPR and/or fall under other jurisdiction-specific data protection laws.

How can technology help with compliance?

All this would be a lot simpler if only there were a way to keep protected data from being transferred across borders in the first place. Achieving that with current technology would probably break the internet as we know it.

However, Microsoft and other vendors are creating innovative solutions allowing global organisations to store data at rest within the geo locations where they must meet data residency requirements. You can read more on Microsoft 365 Multi-Geo solution here.

Microsoft has furthermore pledged to create an EU data boundary for the Microsoft Cloud, where EU data only gets processed and stored in the EU – partly to help their EU clients operate more easily in compliance with all applicable laws and regulations.

Other vendors such as InCountry anonymise regulated data stored and processed in the cloud. This offers multinational companies a way to store regulated data in a separate database within the borders of the countries where they need to meet data sovereignty requirements.

Although you might not be employing Cloud Service Providers (CSPs) directly, many of the SaaS (Software as a Service) apps you use today are hosted on third-party CSP infrastructure (e.g. Microsoft Azure, Amazon Web Services (AWS) or Google Cloud Platform (GCP)).

Amazon now provides an AI service called Amazon Macie that uses machine learning and pattern matching to discover and protect sensitive data in AWS. Google on the other hand allows their GCP customers to manage their own encryption keys, preventing Google from decrypting and reading their data for any reason.

Conclusion

The technology space around compliance is continuously evolving, as cloud providers and software vendors are incentivised to make it easy for you and for them to stay on the right side of the law. It’s important to note that simply buying software does not make you compliant, nor is compliance a one-off activity. It’s a joint responsibility and commitment between your organisation and your chosen software vendor.

It’s worth asking the tough data protection questions early on if you’re thinking of going to market to select a new proposal software vendor. This way you don’t waste time with vendors who might not be equipped to cater for your organisation’s specific circumstances. It’s not ‘one size fits all’.

Chances are that vendor compliance management is already standard practice for your procurement process, which probably includes a questionnaire or a review from your IT Security / Data Protection team to vet new vendors. If not, then it most definitely should be!

Download Single Pages Download Magazine Spread Subscribe View flipbook
Issue 12

Contents