I posted yesterday about my complaint to the Irish Data Protection Commission about the cross border data transfers of an international not-for-profit organisation.
This is a topic I’ve looked at myself in the past in some detail when I was volunteering with a similar organisation doing similar things. About five years ago I mapped out the considerations and what needed to be done to ensure certainty (this was in the wake of Schrems I and long before Schrems II).
Working out what had to be done meant thinking some previously unthinkable things. It encountered huge resistance in the organisation. Ultimately, despite getting some early wins (data localised to EU, role based access on database that would allow access to personal data to be restricted by geographic region if required, EU-based processors engaged for development work and application support, and other stuff), we didn’t get fully to a point where I was happy that the compliance risk was fully mitigated. The internal resistance became to much to overcome as the objective that was being pursued became conflated with other internal politics in the organisation. For example, setting up an “Operations Entity” in the EU to manage all the back-end data processing activities was something that didn’t happen, because it required significant changes to the bylaws and governance structures of the organisation.
So, I can understand why organisation might struggle with these things if they are constrained in their resources. It does mean having to think long and hard about your information architecture and processes. And it can effectively amount to a a perceived shift in the organisation’s internal power dynamic if suddenly “head office” has become a figure-head function and the real work is being done elsewhere. It does mean having to consider the impact and implications for your brand if your compliance is called into question.
There is another strategy that I might pursue now if I had the time over again. But I don’t, and frankly I don’t think I’d put myself in that thankless (unpaid) position again.
But I do think this is something that global membership organisations need to start thinking about. I just seem to have been thinking about it a bit longer than others. The problems raised by the IAPP in their webinar and that I have raised in my complaint are not new. We just need to get around to solving them. And that means thinking outside the box and rising above any internal “toy-town” politics that might exist in an organisation.