Make data transfer to the United States as secure as possible

Almost all companies use their software to send data to the United States unnoticed. If it is about personal data, it is most likely a violation of data protection regulations.

There are no one-size-fits-all solutions, but Arnd Fackeldey, a data protection expert and speaker at the TÜV NORD Academy, explains that companies can at least make data use as secure as possible.

Virtually every company sends data to the United States in its daily work, whether it be through office software, video conference systems, newsletter services, web tools or cloud solutions. Although the tools initially run on servers within the EU, the data is often stored at the parent company in the United States. However, this is problematic for personal data such as names and mailing addresses, email addresses, bank details, order details, because from a European perspective, the United States is an “insecure third country”.

It is a safe haven for the European Court of Justice and has not been ruled out since July 2020 Privacy shield Not enough.

The revised EU Standard Treaty clauses, which make data transfer legally secure for many countries and have been available since June 2021, do not provide any protection Data transfer To the United States – As a precaution, German companies should initially assume that American companies simply cannot comply with them. The revised EU standard contract terms require additional measures such as transfers, security measures and handling of sub-processors. So how can companies use their data as securely as possible?

Arnd Foskeldi, Data Protection Officer at TÜV NORD Academy and Managing Director of Digicom Consulting, points out the most important points at which they can protect themselves as much as possible – in addition to the application of the revised EU standard contract terms.

1. Encrypt data

By encrypting personal data during transport and storage, companies can gain additional security. It is always best to encrypt the data to minimize damage in the event of an emergency. However, before introducing encryption, many technical aspects related to data security must be taken into account, namely the strength and power of the encryption algorithm.

2. Use European servers

If possible, the company should store the data only in European data centers Public Data Protection Regulation (GDPR) Material, however, does not provide 100% security because insecure third-party administrators can still access it, outsource some data, or backup servers located in the United States. It is therefore important that the administrative service of the data center is located in a country with authorized data protection.

3. Use legal solutions

If processors are operated in an insecure third country such as the United States, German companies must ensure that the service provider has exhausted all legal procedures to avoid disclosing personal data to authorities in their country.

4. Look for alternatives

Sometimes the best solution is to switch to other services and consider alternatives to the internet service that currently costs more but uses data centers in Europe.

5. Internal Organizational Rules

Companies with subsidiaries in other countries are governed by domestic corporate rules, also known as binding company rules (PCR), which require foreign subsidiaries to comply with European data protection law. “It works like a privacy protection screen,” says Arnd Fakelty. However, this will also reach its limit if the internal rules of the company conflict with the rules of other countries.

6. Awareness and training

All employees in the company should be present in this matter, even if they are not directly responsible for data security Data protection Sensitivity and training. After all, a large number of employees have to handle personal data at some point in the workflow. Therefore, public awareness should be created and comprehensive training on national and international data security should be conducted.

“Once companies have exhausted all possibilities to ensure maximum security, they have a good chance of avoiding the misuse of personal data and not being targeted by regulatory authorities,” said Arnd Fakelty. But it needs to be up to date and the internal regulations need to be re-checked. Foucault insists: “I’m not going to end the topic of international data security today. It needs to be constantly monitored because there are always new developments and changes.”

www.tuev-nord-group.com