Data is the lifeblood of businesses in today’s global economy. It is a part of a business strategy to ensure that data be shared freely to offshore locations.
Cross-border data security involves the safe movement of electronic and personal data around the world. This often proves to be a challenge for enterprises due to regulations, data residency requirements, and enterprise-specific practices that restrict the transfer of data across borders.
Challenges in cross-border data transfers
Regulations like GDPR are restrictive than ever before when it comes to cross-border data transfers. Because individuals risk losing their protection if their personal data moves outside EEA, such data transfers are prohibited unless the rights of the subject are protected, or one of the exceptions under the law applies.
There are three exceptions listed in GDPR: Adequacy, appropriate safeguards, and derogations.
An “adequacy decision” is a finding by the European Commission that the country, territory, sector or international organization of destination has a legal framework in place that provides ‘adequate’ protection for individuals’ rights and freedoms. Secondly, “safeguards” ensure that both the transferor and the receiver are legally required to protect individuals’ personal data rights and freedoms. And finally, certain “derogations” or “exceptions” are enlisted in the law wherein the individual's consent about how and where his/her data is going to be used is taken, before transferring it across borders.
2. Country-specific laws
Some countries have specific laws regarding cross-border data transfers. For example, Switzerland has strict data protection law which has stringent conditions to be met before “trans-border transfers” where transmission is only allowed after concluding a special agreement. Over 80 countries and independent territories have adopted information security laws. Here are some country-specific laws:
- EU – GDPR
- Canda – PIPEDA (Personal Information Protection and Electronic Documents Act)
- US (California) – CCPA (California Consumer Privacy Act)
There are even laws for protecting specific information like Healthcare information and Credit reporting, such as HIPAA (Health Insurance Portability and Accountability Act) and FCRA (Fair Credit Reporting Act).
3. Organization-specific rules
Organizations in highly regulated industries such as financial institutions and healthcare have their own specific rules for cross-border data transfers. Large organizations, especially with a global presence need to share data across borders and hence have strict guidelines to be followed, not to compromise data security while they do it.
Organizations need to make a note of all the challenges applicable to them in order to effectively transfer data without compromising compliance.
In order to ensure an effective cross-border data security solution, you need to cover these key points:
- Define and find where and who has access to sensitive data across the enterprise, with ease and efficiency
- Maintain referential integrity of realistic yet masked data for cross-border application development and testing
- A flexible, scalable and robust solution that provides location-based masking in production support and operations
The answer to these points lies in the implementation of a data security technology platform that enables:
- Discovery of personal data based on classification and who (user and program) has access to it
- Elimination of personal data exposure in the non-production environment through Static Data Masking
- Minimization of data exposure in production through Dynamic Data Masking
Making a comprehensive list of all the essential requirements and putting tools in place that provide the basic capabilities to meet those requirements is key. And by tools, we mean technology-enabled data security methodologies that include data discovery, static data masking, and dynamic data masking. The tools you choose should cover the following aspects:
- Protecting your data starts with knowing where it is located.
- For meticulous discovery, the tool should go beyond the usual dictionary search to use patterns, validations, data match, and a source code scan to minimize false positives and allow custom data classifications.
- Static Data Masking
- To provide realistic data for testing and development purposes without disclosing sensitive information (permanently replace sensitive data by altering data at rest).
- The tool should allow for uninterrupted anonymization without compromising referential integrity and consistency across data. The approach should be flexible depending on the complexity of the architecture, performance and security requirements.
- Dynamic Data Masking
- To provide role-based security for your data, enabling only authorized users to see the real data (replace sensitive data in transit).
- Masking should be flexible in terms of business requirements without having to change the underlying data. It should have the ability to mask sensitive data at both the database layer and application layers. It should be scalable, and at the same time, maintain high performance.
The tools should support popular data sources including relational and hierarchical databases, Big-Data and files on-premise and on the cloud.
Finally, the implemented business solution should allow for multiple stakeholder collaboration – IT, enterprise architecture, security, and compliance.
We believe with these methodologies, any organization can make secure and compliant cross-border data transfer possible.
At MENTIS, our solutions in data security are certified, tested, and deployed by very demanding customers all over the globe. MENTIS has successfully implemented cross-border data security in a top Swiss bank.