A common challenge faced by many organisations is navigating complex governance and obtaining appropriate approvals to transfer data into the Cloud. The volume of internal review and approval steps can number in the hundreds, and there is often additional overhead associated with required regulatory engagement and approvals. The friction involved can impact agility, be a blocker for business initiatives and become a real impediment to achieving an organisations strategic objectives and benefits enabled through Cloud adoption.
Bring into consideration the need to also manage compliance with data sharing restrictions impacting cross-jurisdictional data transfers that are on-premise, internal or to third parties and the complexity and scale of the challenge becomes clear.
With the post-pandemic acceleration of digitisation, we expect that FS organisations will continue to accelerate the implementation of strategic Cloud projects and outsourcing to CSPs will continue to be under the spotlight of FS supervisors. Organisations will need to consider data residency related legal and regulatory developments in this context and enhance their compliance and risk management capabilities accordingly (for example the Schrems II ruling by the CJEU makes it significantly more complex for FS firms to host data in Cloud infrastructures in third countries that are not deemed adequate under the EU and/or UK GDPR).
As a result, many organisations are looking to uplift their data governance and management capabilities in order to mitigate the risks associated with regulatory and legal requirements around data sharing, improve the quality and timeliness of decision making and ultimately support the realisation of benefits associated with Cloud technology.
What constitutes a data transfer?
Data transfer broadly covers two scenarios, either of which could involve transfer of data into the Cloud:
- The transfer of data to external vendors and third parties – including for outsourcing purposes, the design, development and operation of a new technology or product that is provided by a third party, or a new business use, purpose or process that involves support from, and collaboration with a third party
- The transfer of data across jurisdictional borders – including internally involving functions or teams within a single entity, internally involving multiple Group entities or externally involving third parties.
It is important to consider that the collection, movement, replication or access of data constitutes a transfer in this context. This means that the scenario of an employee who is physically located in another country viewing or accessing information on-screen their device via VPN, would constitute a data transfer and in some circumstances could be in breach of data residency restrictions.
What is Data Residency?
Data Residency is a legal requirement by a country to collect, store, or process data within a specific jurisdiction. Since data localisation/residency requirements are being produced nationally there are many variations but broadly the different models can be categorised under:
- Local-only storage, transmission and processing: i.e. exclusively in and between servers or data centres located within the national territory
- Local copy: keep a copy of data in local servers or data centres at all times or have at least some data processing capabilities within the national territory
- Conditional restrictions: international data transfers are only permitted if certain conditions are met by the company carrying out the transfer and/or by the recipient country
What are the key considerations when assessing the transfer of data?
Any decision to significantly relocate data should consider a range of impacts including Legal, Cyber and Operational Risk. Effective governance, therefore, requires a defined policy and evaluation process developed through engagement with multiple stakeholders.
Decisions to relocate the organisation’s data assets cannot be made ad-hoc without incurring high levels of risk or delay. A considered transfer strategy, backed with defined policy and case approvals process is key to maintaining delivery pace while mitigating risk.
Figure 1: data transfer approval considerations
How is the industry responding to the challenge, and what does the maturity journey look like?
Most global financial institutions have developed their governance capabilities over the last 10 years from a foundation of data sharing agreements and local approvals, evolving towards a centralised rules-based model and supporting workflow, technology and automation.
Figure 2: data transfers governance implementation journey
Looking across the industry, there is a number of key themes that illustrate how organisations are tackling the challenge:
- Policy – global policy coverage, primarily owned by Legal, often supplemented by coverage across multiple related policies e.g. privacy, records management, data handling, change management
- Data sharing agreements – implementation of data sharing legal agreements between bank legal entities as key mechanism and ‘safeguard’ to permit sharing of categories of data for defined purposes
- Process –including implementation of consistent, intelligent workflow covering:
- Initial/pre-screening assessment
- Privacy Impact Assessment (PIA)
- Data Protection Impact Assessment (DPIA)
- Outsourcing assessment
- Cross-border transfer assessment
- Group and local actions
- Data transfer risk acceptance
- Data transfer rule repository maintenance/approval
- Central rules-based model – consolidation of local legal and regulatory requirements to define a global ruleset and facilitate pre-approval and streamlined clearance
- Automation – scaling of cloud adoption driving increase in data transfer requests and a requirement for the ability to process them at speed and scale, and centrally maintain records.
Based on these insights, what should your organisation be thinking about in order to better govern data transfers and manage risk more effectively?
Consider the following key steps to enhancing the capability to scale data transfers whilst maintaining governance and control:
- Undertake a data discovery exercise to understand your existing data transfer flows and maintain a record of what data is being collected, used, stored and transferred for what purposes
- Ensure global policy coverage which sets out clear responsibilities and addresses the approach and fundamental principles for the management of data transfers within your organization and with third parties
- Establish a central team to provide coordination and support to businesses and functions, to improve the governance and management of data transfers and ensure that the export of data across international borders and to third parties is performed in line with external legal requirements, internal policies and risk appetite
- Consolidate a global data transfer legal and regulatory requirements library, and develop a data transfer matrix and set of rules that apply to your organization
- Define and implement a technology and automation strategy to support the data transfer process. Often this comprises multiple components including a rules engine (e.g. framework represented in multi-dimensional graph database technology) alongside a workflow tool, typically leveraging an organization’s existing strategic workflow tool choice. Typical data transfer platform capabilities include:
- System interfaces to reference data repositories, enterprise data model, systems inventory
- Configurable assessment questions and workflow
- Model contract inventory
- Reporting and metrics
- Audit trail.
What does a successful implementation model look like?
With the post-pandemic acceleration of digitisation and strategic Cloud adoption, many organisations are actively working to enhance governance and control over data sharing. Among the more mature organisations, we observe commonality around their target state vision, which typically articulates implementing a centralised data transfer governance service or utility.
Leading organisations have progressed along the implementation maturity journey and have already started to realise this vision and unlock a range of business benefits.
Should you be thinking about what a successful implementation would look like for you?
Figure 3: Centralised data transfer governance service
- Workflow captures transfer requests in a standardised format and route appropriately to a decision engine, exceptions management team, approvers
- Decision engine triages the request and may automatically approve cases of lower risk/complexity requests, or where similar requests have been approved before
- Exceptions management SME team reviews higher complexity cases and makes a recommendation to approvers based on legal/compliance requirements and policy
- Parameterisation layer presents data sharing agreements and legal requirements content as structured data parameters to enable automated processing where possible
- Database of past transfer requests and decisions, for audit purposes and to support rapid approval of repeat requests
- Data Transfer Matrix (global legal and regulatory requirements) to support assessment of sending and receiving jurisdictions. Frequently updated.
- Data Sharing Legal Agreements and model clauses addressing safeguarding requirements. Specifies data categories usage purposes
- Integration with Data Catalogue to identify data categories, known DQ issues, data owners to approve etc, and to update data lineage where the approval creates new data flows.