BSI reveals data compliance landscape impact on information resilience

27 April 2021

Research conducted by the Consulting Services team at BSI has revealed that some organizations are struggling with the current data protection landscape, with many data transfers impacted by the UK’s exit from Europe and the invalidation of the EU-US Privacy Shield framework last year. With information resilience and cybersecurity being a top priority for many organizations in 2021 as remote working continues, staying alert to the evolving data compliance landscape is essential.

UK - EU data transfers post-Brexit

The UK’s transition period from the European Union that ended on the 31 December 2020 has impacted many aspects of business including how data transfers are carried out. According to research by BSI’s cybersecurity and information resilience team, one in four organizations’ data transfers have been impacted as a result of Brexit, while 39 per cent said they were still unsure of the level of repercussion.

The impact effects how data is processed in each region, where it is hosted and how it is protected, including jurisdiction representative requirements to ensure compliance in line with UK compliance as well as the GDPR (General Data Protection Regulation) in Europe. While there is currently an adequacy ruling in place to maintain data protection between jurisdictions, a review decision is expected in June by the European Union.  

EU - US Privacy Shield invalidation ruling

Last year the Court of Justice for the European Union invalidated the adequacy of the EU-US Data Protection Privacy Shield, meaning transfer of data between the US and EU was no longer protected under the framework. BSI’s findings highlighted that this ruling has impacted almost five in ten organizations with many requiring legal support, a review of existing contracts, Transfer Impact Assessments (TIAs) and the revision of mechanisms to ensure the resilience of data transfers in the future.

Affecting very significant volumes of data, the privacy shield framework website¹ currently has 4,413 active organizations and 1,785 inactive organizations as compliance requirements are being reviewed. Currently, compliance actions would include implementing and re-evaluating Standard Contractual Clauses (SCCs), seeking explicit consent, revising business processes, and outsourcing services.

Conor Hogan, Global Practice Lead - Privacy - Cyber, Risk and Advisory at BSI said: “Data protection regulations, along with the increase² in cyber-attacks and data breaches - a side effect of the global pandemic, will continue to be a challenge for many organizations this year. The volume and value of data is an essential asset that needs to be protected and our research demonstrates the impact the current landscape is having as a result of two significant changes. How data is transferred, stored, and processed requires reviews and proactive scanning of regulatory updates as well as accessing third party supplier data management on a regular basis.”

“No organization wants to be in a position whereby a data breach has a significant impact on their people, reputation or finances. Information resilience is about empowering organizations to safeguard data throughout its lifecycle and we would strongly urge organizations to take a proactive, pragmatic approach to ensure compliance and security of data,” concludes Conor.

The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-ie