Back to use cases

Conduct fast data protection impact assessment to support business stakeholders

  • Data Protection
  • Data Processing
  • Data Transfer

In this use case, we show how to quickly assess if data protection regulations from a certain jurisdiction or a combination of countries impacts and surfaces risks for non-compliance business units and their strategic business projects by using digital territorial scope checks

Clients:

Partner:

Coverage
  • 30+ jurisdictions
Scope
  • GDPR (EU)
  • FADP (Switzerland)
  • PDPA (Singapore)
  • many more
Availability
  • App
  • APIs
Local Establishment

Besides having a Legal Entity in Singapore - what are other triggers that make our business fall into the scope of Data Protection in the region?

Local Establishment

Can I be subject to a jurisdiction’s Data Protection rules even if I do not have a business within that territory?

Data Processing

How can I check if my Data Processing Activities are subject to the law?

Data Subject Location

I collect personal data of subjects in another country - am I subject to that country’s laws for Data Protection?

Data Transfer

Transferring Data from Europe to Switzerland - is the Receiving Entity also subject to GDPR requirements?

Data Transfer

Allowing a Swiss person to access Data in the USA - the Data is from an EEA individual - under what constellations is GDPR relevant for this setup?

Clarifying data protection territorial impact assessments in different jurisdictions

Today, the business units approach the Compliance and Data Protection units with questions if there is a potential impact by a jurisdiction’s Data Protection laws. Fundamentally, business is interested in answers for the activities they want to develop and/or change. Usually, their dedicated projects shall define a new business opportunity as well as assess the related risks. Compliance needs to be able to go through different jurisdictions one by one and check how the activity is impacted by each country’s legislation.

As CCO or as DPO, one might even hire an external consultant (from the big four, for example) to do all those checks in their bank with the business side so they know what is happening besides ensuring they stay compliant. The regulator also needs that information when the time comes.

The challenge of data protection territorial impact assessments in different jurisdictions

The biggest challenge is to make sure compliance has all the required business details to undergo a deep analysis while covering all the countries that the business teams and their projects are focussing on. The objective is that the bank does not get penalized for missing the implementation of Data Protection rules of one or several jurisdictions, since it is a big risk for the organization to have global projects that are not compliant with regulatory requirements. 

Additionally, after deciding on the relevant countries and having gathered all the business details, it takes time to go through all the jurisdictions needed since compliance needs to go through specific manuals for each country. They need to identify if the foreseen business activity is triggering a country’s Data Protection principles or compliance needs to try to find evidence that certain legislation is – sometimes against all expectations – not relevant and, therefore, can be neglected for that business activity or project initiative.

Overall, it is a process with too many back and forths that can lead to a huge delay in project implementation. To handle this situation, there are different options:

Business Potential Risk Minimisation Ease scalability Time and cost reduction
Option 1:Clarify relevant Data Protection triggers manually for a limited number of locations + +++ + +++
Option 2: Rollout global territorial impact assessment checks and clarify restrictions case by case manually ++ ++ + ++
Option 3: Digital cross-country territorial scoping checks ++++ ++++ ++++ ++++

Introducing digital territorial scoping checks

By using digital territorial scoping checks, Compliance and Data Protection units can easily assess the impact of a business and their projects in different jurisdictions in a matter of minutes instead of going through manuals – which usually takes weeks or months depending on the size of the project scope.

Also, by having a tool that permits faster assessment, the compliance unit can also check in which countries it is easier to deploy a project because of the specific data protection restrictions. This competitive advantage can help the business unit to choose the jurisdictions that make more sense even before starting the project. In other words, compliance can help business units with the easier scope for the project resulting in quicker deployment and less time spent on checking if countries do or do not bear a potential Data Protection risk.

To do that, one would need the following:

  1. Machine-readable data protection rules: a set of country-specific rules customizable by in-house legal teams;
  2. Dynamic access to data protection answers: a way for IT project managers to quickly access answers on IT system initiatives through an easy-to-use app or via intranet;
  3. Easy integration options: technology empowering developers to scale the use of machine-readable with integration into existing processes or in-house tools.

Benefits of using digital territorial scoping checks

  • Spend less time on territorial impact assessment checks;
  • Increase the number of checks done during the same amount of time; 
  • Global risk minimization: Always aware of the global territorial impact assessment check in view of a certain business unit;
  • Growth opportunity: digital rules allow global scalability thanks to the easy addition of new countries or comparison features.