Redefining CyberSecurity

The Alphabet Soup of Privacy and Data Protection Across Borders: Employing Justification, Documentation, and Transparency in Global Privacy | A Conversation with Elena Elkina | Redefining CyberSecurity with Sean Martin

Episode Summary

In this episode of the Redefining CyberSecurity Podcast, host Sean Martin and guest Elena Elkina, a privacy and data protection executive, dive deep into the nuanced world of data privacy regulations with a focus on the CNIL's impact and the complexities of Transfer Impact Assessments (TIA). Unpack the intricacies of global data protection laws, operational challenges, and the evolving landscape of privacy practices that can significantly influence your business's compliance strategies.

Episode Notes

Guest: Elena Elkina, Partner / Privacy & Data Protection Management Executive, Aleada Consulting [@AleadaPrivacy]

On LinkedIn | https://www.linkedin.com/in/elenaelkina/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

View This Show's Sponsors

___________________________

Episode Notes

In this episode of the Redefining CyberSecurity Podcast, hosted by Sean Martin, the spotlight is on the complex world of data privacy, specifically focusing on the French data protection authority, CNIL, and its broader implications on global privacy and data protection practices. Joining the conversation is Elena Elkina, a seasoned privacy and data protection executive. With nearly two decades of experience in the field, Elkina shares her expertise on the evolving landscape of privacy laws and the challenges businesses face in operationalizing these regulations.

The discussion opens up with an exploration of various privacy frameworks, including GDPR, CNIL, TIA, EDPB, and ICO, unraveling the interconnected yet distinct nature of these acronyms in the realm of data protection. Elena Elkina delves into the intricacies of the CNIL and its recent draft guidance on Transfer Impact Assessments (TIA), emphasizing its practical approach and the operational guidance it offers to companies dealing with data protection across different jurisdictions.

A significant part of the conversation is dedicated to understanding the legal and operational challenges associated with TIA, including the legal analysis required for transfers to third countries, the importance of documenting and periodic reevaluation, and the role of both data importers and exporters in ensuring compliance. Elkina highlights the collaboration required between these parties and the importance of comprehensive documentation to demonstrate compliance efforts.

Additionally, the dialogue touches upon broader themes, such as the differences between privacy approaches in the United States and the European Union, the impact of new privacy laws and regulatory guidance, and the importance of organizational data hygiene.

Throughout the episode, both Martin and Elkina underscore the importance of justification, documentation, and transparency in navigating the complex landscape of international data transfers. The conversation serves as a crucial guide for businesses looking to align their data protection practices with regulatory requirements and industry best practices, providing valuable insights into the ongoing evolution of privacy and data protection obligations.

Episode Transcription

The Alphabet Soup of Privacy and Data Protection Across Borders: Employing Justification, Documentation, and Transparency in Global Privacy | A Conversation with Elena Elkina | Redefining CyberSecurity with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of redefining cybersecurity podcast. I am Sean Martin, your host, where I get to talk about all things security. Sometimes privacy, they're, uh, disconnected, but interrelated many, in many, many ways. And I'm going to start off with GDPR, CNIL, TIA, EDPP, ICO, PIA.

I don't know, are there other? EEA, EU, if you want to just throw a couple more acronyms in there, uh, go, go do something to your security and privacy programs. Now that you've chewed on that acronym soup, uh, I don't, didn't know until I was preparing for this, uh, For this chat with our good friend, Elena Akina.

Elena, thanks for joining.

Elena Elkina: Of course. Thank you for having me. It's always great to be with you guys.

Sean Martin: Absolutely. I had no idea what most of those were. I knew what the EU was. I certainly knew what [00:01:00] GDPR was from years of talking about it, but I'm not deep in privacy. Maybe some of the privacy folks know what some of those things are.

Hopefully they do. I suspect many struggle with how they connect to each other, where they compliment each other, compete with each other. Fit into programs and I wanted to explore this a little bit. So there Elena and her team. I posted something about, uh, CNIL, which is the French data protection authority.

I'm not going to try to pronounce, uh, in French, the commission national, the, uh, informatique, uh, the liberties, but, uh, basically data protection, uh, from, from a French perspective that apparently clearly EU impacts companies doing business in the EU and specifically with France and, and touches on data protection.

That's about the [00:02:00] gist of it. Uh, but there's a lot in there. So, so we're going to get into what that means, hopefully, as far as we can in the time we have allotted. Um, we'll probably answer some questions, raise many more. Um, but we're going to get into it anyway. So, Elena. If you could, please, I know you've been on the show.

It's been a, been a few months now since you've been on, but, uh, uh, folks that have not met you yet, maybe a few words about what you're up to and, and why this is such a hot topic at the moment.

Elena Elkina: Yes. No, thank you. Thank you. Um, well, thank you for having me again. Uh, it's nice. Nice to see you. My name is Elena Alkina.

I am a privacy and data protection executive. I've been in privacy for a long time. I think it's getting close to 20 years. I'm currently a partner and co founder of Alida with privacy and data protection national consulting firm located in Silicon Valley. Working with clients around the globe on privacy, data [00:03:00] protection, some operational information, security issues, and also co founder of women in security and privacy nonprofit organization.

And this is where Sean and his team have been working together for many, many years. I think almost like 10 years. Right, Sean? So it's been great. It's been great to be back. And I'm excited to talk about, uh, Caneal and transfer impact assessment guidance that they released in January. It's still in the draft format and how it compares to ISO and EDPB guidance.

But before that, I want to highlight that we picked a great day for this, um, uh, this topic because today, um, our president, uh, will sign an executive order. to protect American sensitive personal information from countries of concern. So I haven't read the order yet, um, only review like the fact sheet, but the order will target personal information, sensitive personal information, certain identifiers, and, uh, it will cover [00:04:00] responsibility in certain actions that, uh, different United States, um, authorities like.

Veterans Affairs, Department of Justice, Homeland Security will need to take to protect data of American citizens. So, um, we are progressing, even though the topic is EU. Um, I, I'm happy to see that the United States is progressing and taking, um, action continuously, um, on, on our side to protect, um, our data.

Sean Martin: And, um, Is it fair to, fair to say, Elena that, uh, you took the top down with GDPR and now the example we're going to talk about today with Camille is kind of a specific country based regulation or guidance, whereas the U. S. we see CCPA in California and other privacy and now this new executive order At the national level.

So kind of the opposite.

Elena Elkina: Well, I guess so. It's uh, I [00:05:00] think it's a, it's a, it's a good summary. Um, United States is very, it has a different approach to privacy. It's more industry based. And now we have different states covering privacy laws and European Union. Um, it's a federal kind of like, well, not federal, I guess it's, it's a law covering different, um, like European, uh, EA and, um, European economic area and also different countries in EA can, uh, implement their own, um, local regulations and guidance that add another wrinkle or layer to GDPR.

Um, it doesn't necessarily mean. The rules are different, but they can add some complexity or differences to how it needs to be operationalized and every country has a different approach. Some of it, we know that Germany, Spain and France always Um, Ireland tend to be more business focus. Um, and there are other countries, but, um, I think [00:06:00] over the time, uh, since GDPR came into effect and even before that, we've seen that, um, each country was more proactive.

I mean, every country is different. Some of the less proactive, some are more proactive and enforcement have been, um, changing the culture of, uh, Different regulators in the EU. Um, and, uh, French always been, um, kind of unique in, um, and, uh, I'm, I'm, I'm glad to see what they're releasing more guidance because especially from American perspective, uh, culturally, uh.

It's hard sometimes for us to understand the regulatory minds of, um, EU authorities. Um, and, uh, the guidance, um, helps us think and read between the lines. And Cuneo, I think, did a good job, um, in its draft guidance for transfer impact assessment and how to conduct them to cover certain things that regulators are concerned and what they're looking and, and also providing operational [00:07:00] guidance to companies.

Um, I come in from the operational perspective. I'm a lawyer, but I don't practice law. I quit 20 years ago, something, something like that. And the challenges that many companies have with sometimes operationalizing the laws and regulations, and also even legal guidance that they receive from the in house attorneys or outside counsel.

Um, and, um, the more guidance the regulators around the globe release. The more helpful it is to personalize what the law and regulations require was a long concluded answer.

Sean Martin: No, it's fantastic. And, uh, hopefully people are following along to what we're talking about here. I want to, I mentioned to get down into the nitty gritty, but I want to first maybe describe a scenario.

This covers or this, this addresses data [00:08:00] protection, transfer, impact analysis. My, my understanding is data that's moving from one place to another, and that has to be evaluated for something. So what, what are the. One place to the others, what are those scenarios and, and what, what's being assessed, I guess, maybe got it.

Elena Elkina: Yeah, well, um, we need to break it down. So let me just start. Um, and for experts, um, listening to this, um, if, if I got, if I go like two basics, just bear with us. I think I want to make sure give advantage to people who are just about to get into the world of transfer impact assessments. Um, so. Assessment or TIA, it's a, it's an assessment that needs to be, um, undertaken by either controller or processor acting as a data exporter.

Um, and they, it needs to happen [00:09:00] before you transfer data from one country. Um, in the European, um, economic area to another third country, um, outside of EEA. And this is the assessment that you need to do and you need to document it in writing before you conduct the transfer. And, uh, the transfer is pretty broadly defined.

It's not just the physical transfer of data. Simply Accessing data, let's say you have a help desk call and, um, you know, that is a data transfer already, even though the data has moved the, um, the property, um, and stays where it was. There is no physical data transfer, but just because the data was viewed or accessed.

It constitutes a transfer. So, um, and uh, there are certain rules that kind of like a cover TIA when they should be conducted. Um, you know, it's kind of like thinking about, I always think about TIA and [00:10:00] DPIA. Um, DPIA it's a data protection impact assessment now in U. S. Like PIA privacy impact assessment. So there's kind of like a threshold assessment.

Um, you do it. to figure out whether you need to dive deeper into the full assessment. And then there is a full assessment that you need to conduct when you determine, yes, I do need to conduct it. And, um, I would love us to go through the process to that specifically applies to transfer impact assessment from the beginning of it.

Um, thinking about Well, I have a data transfer, I think, and I need to know, do I need to conduct the TIA? And there are multiple steps, um, that you need to take. And some of them are similar. Some of them are actually, they're all similar for you, but CNIL and EDP, uh, European regulators have different, slightly different guidance on how it needs to be done.

And I would say the difference is CNIL is more specific and high level, uh, more [00:11:00] specific and. Uh, provided specific operational steps and examples and a template that I think is very helpful for businesses to review until maybe we can include the link, um, in, in the podcast so people can view it with some helpful resources to, um, UK authorities and your EDPB.

Also, guidance so the organizations can compare and see what, uh, what is applicable. But um, I'm

Sean Martin: going to pause there because the EDPB is the European Data Protection Board, which I'll include a link to that. And then the UK one, I believe is the ICO, Internet Information Commissioner's Office. Uh, I'll include a link to that as well, so people have that.

So I just want to get those acronyms out, out of the way so people know what they are as, as they're hearing what you're saying.

Elena Elkina: Yeah. Yes, that's definitely there are so many different, uh, abbreviations and, uh, various [00:12:00] terminologies. So I'm sorry if I, um, I, I get, uh, to the abbreviations about explain what it is, but basically when you, when it comes to transferring back assessments, and if you're transferring data outside of EA, um, there are a couple of resources that you can look.

ADPB is the European guidance that was issued in 2021. It's pretty lengthy. Um, I think it's about 50 pages. Um, it has instructions. It has analysis, explanation why certain things are important. Um, they don't provide the specific structure or format for the TIA for transfer impact assessment and how to conduct it.

Although we do provide examples. But I got to tell you, when we work with clients on implementing this guidance from EDPB, it's very challenging. A lot of questions were around format and structure. How do I document my TIA process? How do I scope it? How do I, [00:13:00] um, just think through, um, do I need to have it for each activity, for each country?

So there are a lot of questions that EDPB guidance didn't address. Then, um, in 2000, kind of like let's put a pin in it. Um, in 2022, ISO, the UK regulators, again, UK is no longer EU, right? So they should transfer risk assessment guidance for data transfers from UK to a third country. Um, although ISO does say that if, um, If you kind of comply with EDPB, European Union Guidance on Transfer Impact Assessments, you're good.

You don't need to conduct ISO transfer risk assessment, which is great. But, um, if you're only transferring data from UK to a third country outside of UK and outside of EA, then, um, Um, you can follow the ISO guidance [00:14:00] and their rules are not EU, but they are similar. I would say they are, the guidance is, um, high level, kind of hard to follow.

It's, uh, it's pretty lengthy document. I think a little bit less when ADPP, I think it's about 40 pages, but, um, it's, it's hard to follow, but I think it's very helpful to go through both, um, regulatory guidance documentations to, to understand the nature of the culture, what, uh, what regulators are looking for.

And of course, this January, the Conneal, the French regulatory authority issued in a draft. Um, they are TIA guidance, which is 18 pages only, short, high level, practical, um, and has a template, which I think is very helpful. And uh, um, and, and there are a couple of differences, um, not differences, I would say a couple of things I want to highlight, [00:15:00] uh, what Kenil did differently outside of Creating a document that's much shorter and more practical in my professional opinion, um, can you specify a few things that other regulators did not, for example, can you said that, um, in the case of onward transfer, let's say you're transferring data from France to a third country outside of European Union.

And then the data is transferred again. So can you specifically states in this case of an onboard transfer, a separate area should be carried out. Um, so you don't only need to conduct T. I. A. For that transfer when you exporting data outside of friends, let's say, but you also need to conduct data for any other onboard transfer.

So that's something that hasn't been mentioned in E. T. P. B. And in, um, I so guidance and everything. Um, that can Neil highlights. [00:16:00] It also hasn't been mentioned in other regulatory guidance in the U is that, um, even though the main responsibilities on importer or exporter of data, the importer needs to collaborate, and it's specifically even states that can you, um, finds that data importers responsibility are essential for the to be carried out.

So even though it would be guidance on transfer impact assessment, um, Uh, implies that collaboration is required between exporter and importer. And it doesn't matter who importer, exporter is, controller, processor, joint controller. The collaboration is, uh, important. And a few, very few other things, um, um, that CNEAL addresses in its guidance.

Again, it hasn't been approved yet. The comments. The time for comments, I think, was done a few weeks ago, um, so we'll see what the [00:17:00] final document will look like, but I'm looking forward to it, um, because I find it very helpful. And so let me know if it might be helpful to walk through. Um, kind of like, uh, the transfer impact assessment process, how can you describe it in this draft?

Um, especially for people who've never done it before it might be helpful to At the high level to think for the different steps some of them may be challenges or flags To to think through when you're conducting it and then we can maybe talk about challenges just in general

Sean Martin: Yeah, both of those I definitely will start with uh The process.

Um, I also, I don't know, maybe where we fit it in, but I also want to talk about who owns this. Is that clearly defined? I mean, I presume with the ICO and whatever that those people are [00:18:00] already thinking about it. So this isn't new and in that sense, but this just provides additional guidance, right? So does it?

Does this change who's involved and who owns and who leads? The process just, or does it just impact how, or perhaps streamline and give more efficiency in how they do it?

Elena Elkina: Well, I don't think there is like a racy model, but exporter owns a, well, exporter needs to conduct and document, um, the transfer impact assessment and exporter can be controller processor joint controller, but again, can you specifically state that importer must assist, um, um, the, uh, exporter.

Even though exporter will own the process and documentation, um, and regulatory authority can request this documentation at any time, the importer needs to assist and available, uh, for exporter to assist with a lot of information because usually importer will have a lot, [00:19:00] significant amount of information for the transfer impact assessment.

Sean Martin: Got it. And for those who are familiar, I apologize for this, another. question. That's probably very simple, but I'm not in this world and I'm trying to help those who aren't as well understand when. So for me, I look at risk management or vulnerability management and in security. We often talk about that being an ongoing process.

It's not just a one and you're done. Things change around. So I'm wondering how organizations look at this. Do they look at it from the data set perspective and they say, this is our data set and here are the things we're going to open up to export, or do they look at it from a business process perspective and say, this process.

Touches these data sets, and therefore we need to analyze this process and the data sets connected to it or is a combination. You understand what I'm saying? Where do [00:20:00] organizations kind of put their assessment feelers in first? Or is that a lame question? And I'm getting

Elena Elkina: I guess it's Um, well, I would start even kind of like the whole premise in, in kind of how I think about this.

And, and sorry if I'm stepping away from your questions, but I always think about it like it's a life cycle. So the data is, let's say in, let's just use France, right? The data is in European Union, country in France, and I am an exporter and I need to transfer data outside of EEA. Let's say. To, um, United States.

So first, what I'm thinking about, like, okay, well, that's, well, that's data. I'm looking at data. Is it personal data? Um, and, and kind of like thinking about it, like what, what data is in scope? [00:21:00] And, uh, and personal data is broadly defined. It's not only directly identifiable. Um, it's also, um, but maybe potential identify in the future.

So, um, I look at that. I define. Okay, this is personal data. So, yes, I guess I need to start thinking about is it. Kind of a transfer of personal data and this is there are guidance and I recommend looking at edpb guidance But talks about what is a transfer and there are different examples. I start thinking about is it an actual transfer?

and then I start getting and the transfer can be anything, right? So it can be transferring data for HR purposes. Uh, it can be transfer for IT support. It can be for business or commercial purpose, like marketing, advertising. So, and I don't want to dive deep into deeper purpose because for the purpose of TIA, even though [00:22:00] this is one of the challenges that many companies are struggling with, how to Scope each transfer and divide them into different transfer impact assessment for documentation purposes.

Um, because it needs to be for each business purpose, right? So can I collect, combine all my HR purposes or like all IT or all businesses? And the answer is potentially, but maybe you need to separate HR data. Let's say sensitive data. Um, that is HR related that you're transferring outside of France. with like just regular HR data or de identified data, uh, or business data, maybe, um, something for product development versus for marketing and advertisement, or what else?

Like, I don't know, I don't make any decision processing, um, versus like IT support, um, and help desk or customer service, right? So you have to think through all of this, but That's why [00:23:00] I'm just like start thinking about it. This is the data. It's personal. And is there a transfer? Think about looking at the ATPB guidance, what transfer is.

And, um, if that's a transfer, then let's think about like, what is my role? Am I controller? Am I a processor? Am I joint controller? Um, who am I transferring data to? What is their role? other controller, other processor, basically you exporter, but the importer also we need to understand the relationship, um, what their responsibility, what, um, what, what role they play.

They can be controller, joint controller, processor, start thinking about that. And, and Kenil's, um, TIA guidance. Has a template that you can look at all the sections and complete it even before you start thinking about the the actual transfer and Supplemental measures you need to think about and looking at the country [00:24:00] that you exporting data to and When all other questions you need to answer just these are the basic questions Is there a transfer of personal data?

Who are the actors being implicated by that? Is it just importer and exporter? Um, what are your roles? Maybe there is another transfer. Um, then you need to think about that because you need another TIA. Just kind of like high level schema before you start diving into this. And then, um, you're really gonna have to just start thinking about all details, um, of the TIA that is required by, uh, EDPB.

Um, of course, the transfer type, right? So, like, you, I think you asked some of the questions. Transfer type, you can think about, um, one of the things I like in CNIL data, um, TIA guidance. They have some sections actually, right now I'm looking at that. And, um, [00:25:00] one of the section is transfer start date, transfer end date, transfer purpose.

and processing activities. All of this you can get from your ROPA. ROPA is records of processing activity that is required on the GDPR. Um, in us, you might familiar with that data inventory. So a lot of information you can get from your data inventory and it can help you if you have really robust data inventory records, ROPA records, you can, it can help you think about the scoping exercise, how to scope your transfer, what to include, what to not include, because.

Hopefully you've done those activities already because it's been required for a long time. When you start thinking about the transfer type, for example, if it's remote access or, um, it's maybe transmission of data or, um, maybe it's occasional transfer or ongoing, um, maybe [00:26:00] it's one off transfer. So all those questions the TIA asks, and it's very helpful to think for it basically.

Kind of like know your data, right? Know your data, what you're transferring, for what reasons. Um, and then you have to start thinking about some of the questions that, um, um, might help you identify transfers, such as where is this data going? This is where it gets a little bit complicated. And this is another challenge that I, I've been seeing with companies in addition to how to document the TIA process, how to scope it, do, do, where do I save it, and we can talk about it a little bit later.

What are some of the best practices that I've seen? And I feel like practices that work for some organizations. Um, another challenge is to think about the destination of that data transfer, right? So if you think about this. This is very helpful. And again, if you go to [00:27:00] conneal the draft of TIA guidance, it's so helpful.

I think it's done an excellent job breaking it down. First, you need to think about if the country of destination, um,

is, uh, part of the adequacy decision by the EU commission. If yes, then you still need to verify the scope of this decision. But basically that's a good sign. So if you're, if, um, and I'll come back to it. If no, then you need the transfer. You cannot transfer data to that country based on adequacy decision.

If there is an adequacy decision, it's not just simple. Yes. Great. I don't need TIA. You still need to review the decision, make sure it's valid. Because, um, the adequacy decisions are usually periodically reviewed by EU Commission. And, um, so you want to make sure the date is valid. Um, some decisions can have not the whole country but, uh, [00:28:00] but maybe some parts of the country or maybe part of the data or part of the entities.

Like, for example, Canada, it only covers commercial, um, entities. Um, so you want to make sure that the adequacy decision Um, the scope of adequacy decision for that country where you're transferring data to covers. Your intended data transfer. So if it does cover great, um, you don't need to have TIA completed.

If it doesn't cover, so the adequacy decision doesn't cover your data transfer, then you need to think about article 49 of GDPR and these are derogations. And you probably know it's consent, contract, um, uh, for other reasons. I think there are how many of them, like multiple reasons. So you need to see if one of those derogations is, uh, why you're transferring the data to another country.

Now, example, from France to the [00:29:00] United States, if it falls under one of the derogations, then there is no need to conduct TIA. If it doesn't, um, you need to, if no, you need to find another instrument for data transfer. And one more question kind of around this area before you really dive into TIA to decide whether you need to conduct TIA or not, is to see if you transfer, um, falls under standard contractual closures or binding corporate rules.

Um, there's also a code of conduct, um, And other mechanism. Basically, look at Article 46 of GDPR. Um, and this is another question you need to ask. I know it's, can be overwhelming, but Just like one step at a time. Look at all those questions. Just make it clear whether you need to conduct TIA and document this or not.

But even if you don't need to conduct TIA, you need to answer those [00:30:00] questions and document them. So, because your conclusion After answering all those questions will be helpful to show the regulators if they request documentation or if something happens, like you have an authorized transfer, you have your documentation that you thought about this, you went through your thinking process, you documented your answers, and uh, and, and that's your evidence.

And in, in compliance, like. Documentation is everything. It's like in a real estate location, right? So you need to document your process. And even if you don't need to do TIA, you still need to document your thinking process, how you analyze your decision, your conclusion, whether you need to conduct TIA or not.

Um, And let me pause here. I know it's a lot of information and I tend to speak quickly, Sean, but let me know if, uh, that may be too overwhelming for the listener.

Sean Martin: No, this is, this is [00:31:00] fantastic. And I'm, I'm, I believe I'm following along. Um, but again, this, and this might be another. Silly question, but the, so this is to determine whether or not you can or should transfer data.

So to me, this says, this is before you're actually doing it.

Elena Elkina: Yes. All of those steps is before your plan transfer. Right. I know many companies do it after the fact. Right.

Sean Martin: So you, you've, you've let, you've licensed this. Cloud service to support some business function and it has the data and then, Oh, let's now go look at the TIA.

No, it's before you build, build the process. And before you select the tech and implement it all.

Elena Elkina: Well, it's like, yes. So we'll hear, hear a couple of wrinkles. Uh, but two answers. Yes. Before [00:32:00] you transfer data, you need to conduct the transfer impact assessment with the caveat that things might change in the future.

There might be some changes in that transfer. Maybe you had other countries. Who will have access to data? Let's say if you have access to like help support in India, and then you're opening another like in US and then you open another customer support center in India. So you need to change your T. I. A.

Or maybe conduct the second one because it's going to be different jurisdictions. You need to analyze that jurisdictions if they have appropriate protection, which is step three. In in a transfer impact assessment, and I didn't get to that yet, but you need to do it before if there are material changes to the process to the transfer and material changes or changes.

We need to analyze any changes before you determine if it's material. Um, it can be the type of data you call [00:33:00] transferring. It may be new data subjects. It may be new purpose of processing. It may be new exporter, importer, or changes in, um, in what capacity they operate, controller, processor, joint controller, all of it may change.

So you need to not only do it before your transfer, but you need to periodically evaluate it, um, when there are changes, or even if there are no changes, just Do it. And ADPB and ISO and CNIL, they're all recommended periodically. We don't say when, how often, periodically means, but I would assume at least a year.

I know, um, we, we work with many law firms and, um, they have templates, um, and, uh, information that organizations can use for transfer impact assessment, for example, analysis, legal analysis of each jurisdiction where you might export your data to, uh, import your data to. [00:34:00] Um, and, uh, the. Evaluate each country every six months, not once a year, every six months, just to see if anything changed, um, within your local laws and regulations that provide additional support to data subjects or vice versa, create more risk to data subject.

Um, also just things can, can change, right? Enforcement, uh, the, the war economical situation. So, um, there is no clear guidance, how often you should review your transfers, but. Uh, you need to review it periodically and update it as needed.

Sean Martin: Um, One, one thing that's sticking out to me, uh, I don't know if it matters or not, but I'm thinking partnerships, mergers and acquisitions.

To me, those are events where perhaps an entity that wasn't part of an organization is now loosely [00:35:00] connected or directly and connected or embedded in the organization and now has to abide by. These, uh, these rules and follow the guidance where they may not have before, um, any experience in that or any thoughts on, on that.

Elena Elkina: Yes, well, definitely m and a. Uh, emergency acquisitions, that's an area where privacy and security, it's part of the, um, m and a due diligence. And, uh, we were off, it's been a while, but we've been brought up to, uh, to review privacy, uh, for a few acquisitions and, um, and it's, um, it's a big component. Where you have appropriate controls in place and controls can be operational, contractual, technical.

It depends how you call them, but basically every regulations addresses different controls. And when you acquire in the company or when you're [00:36:00] merging with someone, in addition to business, um, and finance. HR, um, of course security, privacy is another aspect where you review, you see where you had fines, where you had enforcement complaints, um, your privacy notices, internal, external policies, uh, all of that is being considered, uh, during the, uh, M& A transaction for sure.

And, and transfer Transfers of data, where you store your data, how you delete it. Um, what are the due diligence process for third parties, how much control you have reviewing your contracts, whether you have backdoor clause or, um, audit clauses, all of these protections, they all evaluated and consider it.

And it's, it's a big part of TIA also as supplemental measures, um, that you need to implement. First of all, you have to review what you currently have. And if you don't have enough. You need to [00:37:00] implement additional ones, and Kanil provides good examples of those supplemental measures, um, to, to implement.

And a comment in the implementation piece. Um, again, before you transfer. Um, that data. So it's, it's, uh, it's a journey. It's, it's not this sprint for sure.

Sean Martin: We'll call it a journey. I want to touch on that now. Cause, uh, I'll say it's probably not smooth sailing unless somebody has done this a few times already.

Right. So, and you touched on a couple of them already. Um, but what are some of the core difficulties or hurdles that That many teams encounter and are there best practices to overcome them?

Elena Elkina: Yeah, well, kind of like continue with the floor. Another challenge, um, is, [00:38:00] um, in every TIA, there are like six steps.

I think there are six. Um, so the next step after you identify that you need to conduct the formal TIA is to evaluate. The laws and regulations and practices in the country of destination to see if it provides adequate protection according to GDPR. Um, and that is very complex. First of all, it makes, you know, you need to, it's a legal analysis.

So first of all, you need to get that legal analysis, either your internal team. of lawyers. So your external team can do that. Um, or you can purchase it from law firms. I know for Fisher has a tool and there are other firms. I'm sure Oregon and other firms have that as well. So you can purchase depending on how many countries you export data to.

Um, so that's the analysis. General analysis of the landscape of privacy laws in the country. Uh, what, [00:39:00] um, how data is being monitored by, like, the government, basically surveillance. Um, and there are questions like if it's sectoral law or if there is a general federal regulation. Um, if there are any issues that company, um, had with the regulatory authority.

So there are certain things, but this is very complex analysis. That is needs to be completed on the broader country level and then on a company level in that specific country, any specific issues. And that's challenging. Um, so the, the tip is, uh, if you don't have. Anyone who can conduct it internally, just purchase it from a law firm and make sure you update it periodically, if not every six months, at least once a year, it might it, uh, it's worth the money because you have a documented and if regular is requested, you have it from a [00:40:00] law firm and it's a legal advice.

So, uh, not legal advice. It's a legal analysis. So. Um, that's, that's another challenge. Um, because you need to evaluate not, um, kind of like almost three level of analysis, the country level, you're exporting the data to then how it applies to his company, if there are any issues. Um, um, that they experience, like, for example, Facebook always fight or like other big companies always fight with different local regulators, right?

So, um, that would be a big consideration. So then, yeah, Facebook is on the radar for different authorities in different countries. So, yeah. They're probably going to ask for some information and how Facebook dealt with them in the past will affect the analysis versus, let's say, if you never had to deal with any enforcement in that country.

So it's a plus. So, okay. So it doesn't mean it's never going to happen, but at least it didn't happen in [00:41:00] the past. And then, of course, there's analysis. Um, of your internal, um, supplemental, internal measures, what, um, contracts you have, how powerful they are, encryption, any other technical controls, and of course, operational, do you have a team, do you have policies, procedures, training, all of that.

Um, it's all of it is technical, but it doesn't. get complicated by TIA. It's always been challenging and it's, it's what you need to have on building your global privacy program. Um, one more thing that I wanted to highlight that is challenging, and I talked about this already, it's documentation. Um, first of all, how to prioritize, let's say, it's an easy thing if you're doing like just one data transfer from, let's say, only HR data.

From France to U. S. You conduct T. I. A. You documented. Um, you work on the [00:42:00] supplemental measures. You implement everything done. But what if you are transferring data to multiple countries? multiple purposes and how many of those TIAs you need to conduct and how to prioritize this. How do you prioritize which one I need to start with?

Um, kind of similar issue with compliance, like conducting data inventories, conducting data impact assessments. It's the same issue, prioritization, but that's another issue that I'm seeing many companies struggle with. Sometimes companies start prioritizing with, um, The countries, um, that they export data to that, um, been kind of like on the radar with regulators.

Um, USA is one of them, but there are some other countries, um, sometimes they focus on the product that is, um, that maybe process sensitive data, um, or maybe the purpose of the, [00:43:00] um, the, the purpose of transfer is. Something that is commercial and maybe it's more sensitivity. But I also know that some companies prioritize low hanging fruit.

We just want to have it done so we feel accomplished. It's just going to be a check mark because I know I can do a hundred of them in a day. Well, I'm just generalizing right now. I just want to have it done because I need to report to the board. I need to report to the management team. Um, I want to make sure that I have some progress.

And I feel like it's okay too. So, um, so prioritization is another issue, especially if you have many transfers to evaluate whether there is a transfer and you need to complete TIA, then you have to complete the TIA. And if you need supplemental measure, you still need to implement that. So because there are many steps and, uh, multiple TIA need to be carried out.

It's, it's challenging. And of course on board transfer, right? So you need to have a separate TIA if there is [00:44:00] another on board transfer. And Oh my God, how can you control another? It's challenging. It's like, I don't end the organizations, but that's brings a lot of headache and, um, just companies are overburdened and it's really hard to stay focused and not overwhelmed.

Sean Martin: So my, my big. Takeaway here, and I'll give you, uh, give you a moment to say anything else you wanna say. But my big take takeaway thus far is documentation, , transparency and justification. So presumably you kind of know what you wanna do, why you wanna do it, and hopefully have some analysis of. That it's okay to do it either based on country or the reputation of the organization you're working with and what have you.

And in terms of priority, same thing. I want to document why I'm doing something and the [00:45:00] justification for the order with which I'm doing it. Um, so again, documentation there and justification. And I think at that point, it's not to trivialize it, but it's just Going through the priority list and, uh, and following the guidance and, and, uh, using some of the tips that you shared, I think could, uh, could help streamline things.

We're, uh, we're at 45 minutes. It seemed like time flew by all this stuff floating in my head now. Um, is there anything we didn't touch on that you think we should say before we wrap?

Elena Elkina: Oh, well, um, I think it's just, I would be probably repeating myself. Uh, I cannot say that it's an easy task, it's not, it's easy to say what companies needs to conduct TIA, but it's not easy to do.

Um, just kind of like think about it's an [00:46:00] elephant, how do you eat an elephant one step at a time? But just, just take one step at a time and dive in, you need to dive in. It's going to be hard to personalize it, but when you start thinking about it. One step at a time. It's much easier. Yes. It's still going to take time.

It's where many questions you may not know once or you need to collaborate with stakeholders, but just it's going to come to you. So, um, you're tackling a lot of things from third country regulatory perspective. Um, like how data is being protected and you also internal importer and exporter specific supplemental measures, um, for data protection.

So there's a lot to cover. So I feel your pain. Just. You can do it. Um, it's difficult, but you can do it.

Sean Martin: And I'll add one more thing. If you're not hungry, don't put more food on the grill. So the translation [00:47:00] to that is if you don't have to, and you don't want to take on the, that's extra scope and extra effort.

Then maybe you shouldn't don't don't put yourself in a position where you have to do it if you don't have to now there are cases where you have to write you want to grow your company, your business internationally and where you have business partners that that enable certain parts of the business to operate and that's only possible through relationships that expand beyond, uh, your country's borders, but if you don't have to don't, I guess is my, my other takeaway here, we talk about that from a security and general privacy perspective as well, but it, it, um, Trickles downhill and

Elena Elkina: yeah, and that's actually an excellent point, Sean, because very often when companies start looking, they've done an analysis, they need to do TIA, they start looking into because one of the principles, minimum necessary, right?

So, and at that point, there's some situation, not a lot of them, but I would say like [00:48:00] 40 percent situations where organization will cut some data transfer, like Limited because realize we don't need that data. We don't need that. It does require again, a personal operational aspect of it, removing it. And, but it's good data hygiene is good for the business, not only for compliance.

And. That's an excellent point. Yeah. Even if you cannot cut it completely, just see if you can eliminate certain, certain risk that is not needed.

Sean Martin: Yeah. There's the whole exposure end of it as well, which we didn't touch on at all. So Elena, it's fantastic to chat with you. Um, I really appreciate you taking the time to share with me and everybody else.

Your viewpoints on this and, uh, some of the experiences you've had working with folks and. I think we both feel their pain, even I don't thankfully feel it, uh, operationally, but I feel it through our conversation here, um, and, and wish them all the best [00:49:00] in their decisions and their scoping and their, their practices.

And uh, yeah, so thank you everybody for listening. I'll include a bunch of notes. I'll put, uh, descriptions of the acronyms that we've. We've mentioned here so you can you can reference those as well and anything else Elena wants to point to, to help, uh, help you operationalize this stuff more efficiently and effectively.

Uh, we'll include those notes as well. So Elena, thank you so much. Thank you. Thanks everybody. Uh, please do share, subscribe and all that other fun stuff and, uh, stay tuned. Lots more coming. I've, uh, been very busy and so lots and lots to come. So thanks everybody. Cheers.