Technical and Organisational Measures

Technical measures

  • Data encryption in transit and at rest using industry standard protocols.
  • Web Application Firewall is implemented to detect and block malicious traffic.
  • Access control and role-based access restrictions for all users of the systems.
  • Multi-factor authentication for all systems with access to transferred data.
  • Endpoint Security including AntiVirus and Device Encryption on all devices.
  • Comprehensive audit login, including access logs and change logs are retained and monitored for suspicious activity.

Contractual measures

  • Specific security measures in the data sharing agreement and other supplementary agreements. – we don’t have a DSA with the US clients, this is our chance to implement in the terms.
  • Request importer to document enquires whether there are any laws and or regulations in place to permit access to personal data transferred.
  • Request importer to document enquiries based on their knowledge as whether there is existing information or statistics on public authorities accessing personal data.
  • Request importer to document on any received requests from public authorities and if so the number and type of request and if they have complied with the request(s).
  • Obligation that the importer must notify the exporter if they are approached by a public authority to share/provide access to personal data or if they suspect a public authority has accessed their data.
  • Reinforce the concept of audit inspections, on-site or remotely to verify if data was disclosed to public authorities.
  • Commitment to notify exporter where there is a change in law and the importer can no longer comply with the safe transfer of data.
  • Commitment to enable data subject rights and commitment to assist data subject in exercising their rights in third countries.
  • Commitment from importer to not engage in onward transfer within the same or other third countries or suspend ongoing transfers where equivalent level of protection of personal data to that afforded in the UK/EEA cannot be guaranteed in the third country.

Organisational measures

  • Internal policies for governance of transfers especially with group of enterprises, clear allocation of responsibilities for data transfers, reporting channels and Standard Operating Procedures (SOPs) for cases of formal or informal requests.
  • Document and record the requests for access received from public authorities and the response provided and with the legal reasoning and the parties involved. Importer should make these records available to the exporter and exporter should also provide them to concerned data subject.
  • Minimum amount of personal data necessary should be transferred outside the UK/EEA to limit the risk of unauthorized access.
  • Regular audits to monitor and enforce compliance with data minimisation.
  • Involve the data protection officer or relevant internal and audit teams with international data transfers.
  • Adopt and regular review of internal policies to assess the suitability of the implemented supplementary measures.
  • Develop specific training procedures for personnel in charge of managing requests for access to personal data from public authorities.