While technology has evolved to connect territories and people, as different jurisdictions develop their own positions on data privacy, cyber security and the economics of digital business, it is no longer the case that the internet has no borders. Successful businesses must navigate seamless cross-border delivery, whilst keeping pace with potential pitfalls and compliance risks and a rising tide of cybercrime.
Today, more countries rely on the flow of goods, services and content cross-border to fuel our digitally driven economy and at this year’s G20 Summit held in Osaka, it was no surprise that digital trade was high on the agenda with the official Osaka Declaration on the Digital Economy coming out of the summit.
As trade tensions rise and the global trade environment becomes more complex to navigate, companies looking to trade cross border need to get their digital and compliance strategies on point if they want to do good business.
2019 has seen significant movements in trade agreements to promote cross-border trade and reduce barriers that limit data flows as the digital economy continues to expand. The EU has clearly set out its stall as the self-appointed global rule-setter for data protection. This incentivises territories outside the EU to raise their own standards to meet its GDPR gold-standard, in order to enable a free flow of data in relation to its large, wealthy consumer base.
This has become an integral part of the EU’s trade policy, as evidenced by its recent trade deal with Japan, which was followed swiftly by an ‘adequacy’ decision by the European Commission, allowing the cross-border flow of personal data. In South America, the European Union has agreed a trade deal with Mercosur bloc after over twenty years of negotiation, opening a market which moves almost a fourth of the world’s gross domestic product.
As ever, while trade deals can facilitate cross-border trade, there are countervailing protectionist developments. India, considered one of the largest growth markets in the world, has recently proposed its own equivalent of the GDPR. While this is based on similar principles in terms of protecting personal data, it also includes data-localisation requirements that echo China’s regime. Positioned as a necessary response to cyber threats, the concern for businesses is that data localisation requirements can be used as a tool for protectionism, erecting new barriers to cross-border digital trade.
Barriers to trade have far reaching effects, but the near and present danger for companies where data is involved is the impact on the bottom line if something goes wrong. Marriott International is a case in point; their recent breach of data protection laws came with a hefty £99million fine, less than the £183million for British Airways following a 15-day hack where customers’ personal card details were stolen.
As the fourth industrial revolution begins to take hold and evolve, the increasing dependence on cross-border data transfers will present companies in the manufacturing sector with a host of new considerations.
Firstly, tech stacks are becoming ever-more sophisticated, incorporating a mix of cloud, hard-wired and edge computing. The rise of ‘as a service’ is extending to manufacturing, meaning that companies will increasingly be renting rather than purchasing key pieces of equipment. What this means is the need for information to be shared across more service providers across different jurisdictions and possibly operating under a different set of rules.
In the same vein, IoT-enabled businesses require supply chains that support a seamless flow of information. For example, retailers’ predictions of stock may feed into the machinery that manufactures the products, which can often mean cross-border data flows across several suppliers.
Not only does this proliferate the points of risk in terms of cybersecurity but it also begs the question – what must be done in terms of covering your bases across a different set of rules and guidelines, particularly considering that regulations like the GDPR are extraterritorial and apply in relation to EU citizens, whether data is processed locally or internationally?
The simple and immediate answer is that companies cannot skimp when it comes to compliance and data security. And this means getting both the practical and the contractual arrangements right. Does the contract require (realistic) minimum cyber security standards, and is appropriate due diligence carried out on suppliers to ensure this is met before systems are integrated?
As the contract goes on, are there audit rights, and are these utilised? And if something does go wrong, does the contract require notification of any data breaches, and provide contractual protection against any damage?
As companies undergo digital transformation, they are also coming to terms with the fact that they will need policies, procedures and protections in place that leave them the least exposed in a world where digital trade can bring risks as well as opportunities.
This article first appeared (here) in Data Protection Magazine.