There has rightly been a lot of focus in recent days about sanctions and anti-money laundering issues in relation to the Russian conflict; the purpose of this blog is to introduce another dimension which lawyers should be aware of concerning a commodity which is increasing in value: data.
In recent weeks we have seen modern warfare spill over from conflict spanning across physical space into the digital sphere, with Russian targeted cyber-attacks on Ukrainian government and military systems and calls from the Ukrainian Vice Prime Minister, Mykhailo Fedorov, for an ‘IT army’ of cyber specialists to assist in bringing down Russia’s technological infrastructure. International government and security agencies prepare themselves for cyber-attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warn organisations to bolster their resilience against a cyber threat. Whilst there has not yet been evidence of any significant incidents across Europe or the US, the impact of Russian sanctions may increase the risk of organisations being the targets of disrupted activity and therefore organisations of all sizes are advised to prepare for such events.
Lawyers are often seen as conduits to valuable information and as a result can be specifically targeted; the Panama Papers is a classic example.
This prompts a need to assess your data protection and information security framework, as well as to review your international data transfers and the processes you have in place to assess risks.
As a first step, you should be consulting your IT team or providers to ensure that a robust risk assessment is carried out in relation to your information security framework.
In terms of International Data Transfers, given the increased risks these can cause and the recent changes following Brexit, we set out some guidance and advice below.
Following the Schrems II ruling by the Court of Justice of the European Union in July 2020, new requirements were introduced when using Standard Contractual Clauses (SCC) as a legal mechanism for data transfers. This involved data exporters being required to assess on a case-by-case basis, the level of protection in the third country (where the data is being transferred) and determine if it is adequate and to the standard expected within the EU.
After the UK left the European Union, these principles were adopted including the requirement to carry out a transfer risk assessment prior to the adoption of an SCC or the UK’s replacement International Data Transfer Agreements (IDTA). The risk assessment places greater emphasis on two key aspects of the law and practices of the destination country;
- Whether the IDTA will be enforceable in the country; and
- Whether the destination country’s regime might require the importer to give a third party access to the data transferred.
Point two was a focal point of the Schrems II decision and is particularly relevant now, addressing a range of circumstances such as a Court Order (within the third country) requiring the importer to provide a copy of the data to a private or public organisation and surveillance by private and public sector organisations including Government bodies.
The ICO recognises that the IDTA is a baseline level of protection for an international data transfer and highlights the need for additional safeguards to be adopted where the risk of the data transfer or risks to the fundamental rights and freedoms of the data subject are high. The European Data Protection Board (EDPB) also published guidance on supplementary measures to protect data using anonymisation, pseudonymisation, encryption, organisational and technical measures.
They also outline 6 key steps to assess risks related to transfers:
- Personal data mapping (including onward transfers)
- Verifying the transfer mechanism
- Conducting an assessment of laws and practices of the third country that may affect the appropriate safeguards relied upon in the context of the specific transfer.
- Ensuring the level of protection in the importing country is equivalent to that guaranteed under the UK/EU GDPR. Considerations should be made on the potential for access by public authorities of the third country, including rights and remedies available to the data subjects. Identifying and adopting supplementary measures necessary to bring the level of protection of the data transferred up to the required standard of essential equivalence.
- Developing formal procedural steps for the adoption of supplementary measures.
- Re-evaluating, at appropriate intervals, the level of protection afforded to the personal data that’s transferred to third countries and monitoring if there have been or there will be any developments that may affect it.
In light of step 6 of the above, with the increased threat of cyber security attacks and associated data protection risks, it is advisable to;
- Assess your international data transfer risks as per the EDPB guidance, especially to countries which lack data protection laws and practices or present a risk of unauthorised access and take relevant steps to increase protections or cease transferring the data.
- Conduct a review of cyber security defences; software and vulnerability patching, ensuring malware and anti-virus software is up to date and confirm that logging and monitoring systems are in place to flag suspicious activity or attacks.
- Review and update business continuity plans and ensure back up systems are in place.
- Verify access control; ensure passwords are unique and comply with company restrictions, enable multi-factor authentication and ensure it is properly configured.
- Brief colleagues within the business to be vigilant, particularly of phishing scams (fake donation sites for Ukrainian aid have already appeared), and make them aware of any internal data protection processes, incident response plans and their obligations to ensure data is protected.
- Seek additional guidance from your information security team or service provider where necessary.
Unfortunately, there is a need to acknowledge that in the digital age the ability to take down entire technological infrastructures can be performed remotely, with the press of a button, rendering systems redundant and exposing access to potentially high-risk data. It is important that cyber security and data security are not an after-thought and organisations must prepare in these unprecedented times.
If you would like any further information or to discuss re-enforcing your own data protection and international data transfers systems and processes, please feel free to contact us at firstname.lastname@example.org or on 0121 288 5227.
Sei-Ting Leung, Compliance Consultant
For guidance from the NCSC see https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences
CISA ‘Shields Up’ Guidance https://www.cisa.gov/shields-up
EDPB Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
ICO guidance on International data transfers https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/
 https://twitter.com/fedorovmykhailo/status/1497642156076511233 Accessed 07 March 2022
 NCSC Guidance https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences Accessed 07 March 2022
 CJEU Schrems ii Judgment https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en Accessed 08 March 2022
 ICO International Transfer Risk Assessment Tool, https://ico.org.uk/media/about-the-ico/consultations/2620397/intl-transfer-risk-assessment-tool-20210804.pdf Accessed 07 March 2022
 EDPB Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en Accessed 07 March 2022