How Can Business Prepare for Data Flow Changes?

Our two pillars approach to managing data flows and privacy


Chris Knight

As the UK prepares to leave the EU’s rules, what should businesses be doing to prepare for any changes to data flows in the UK, EU, USA triangle? Our experience of working with data flows and The Great Firewall of China always brings to mind a quote from Sir Tim Berners-Lee;

“What’s very important from my point of view is that there is one web … Anyone that tries to chop it into two will find that their piece looks very boring.”

This quote is particularly relevant because of the current risk to the web of geopolitics and privacy laws. Originally this statement was referring to the US Justice Department decision that internet service providers should be allowed to charge for priority traffic in 2007. It’s an even more pertinent comment today, when there are far bigger risks to the web than priority data lanes.

The big data-flow tip: two pillars

So how can you keep your corner of the web interesting and the data flowing? We developed our two pillars rule through our work with companies in China and EU (GDPR):

  • Store sensitive user data separately from the data they generate and/or application data. Most data security legislation is about protecting data that directly points to a physical person (e.g. name, address, email) and not ‘user id’ watched this show.
  • Data from the user database should never be exported (unless there is a very strong reason to). It’s hard to imagine why a system can’t just reference a user by an id and limit who can connect the user id to a person.

Technically, data flow is easy with the right tools; it’s the legals that make it complicated. If you use a cloud based solution, such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Services the legal side of data flow is made more straightforward as they are typically certified to be part of data treaties.

We found that a good practice is to store private user data using specialised software. For example; AWS Cognito or Auth0 in a suitable geographical location, data privacy laws normally specify where data can be stored. These tools have more accreditation than you can shake a stick at, and they also help separate sensitive data from the data that can be anonymised.

Obviously, there may be times when we have to bend the rule about exporting data. That said, we limit these to exceptional circumstances that have many, many checks. We also notify the legal teams of their existence and explain why exporting this sensitive data is critical to the performance of the system in each case.


A Cautionary Tale

In China, the restriction of data flows has already limited their section of the web both legally and technically. Originally China created the Great Firewall as a way of controlling the influence of foreign media over its population. Over the past few years however, it has been used to leverage international big tech companies who want to enter the Chinese market. Being allowed access means typically handing over IP and/or ”partnering” with Chinese entities.

Amazon’s cloud service, AWS, is a good case study of the insistence on local partners. In order for AWS to operate within the Great Firewall, and thus reach the Chinese market, they had to partner with NWCD and Sinnet, who run the business for them. This is the only geography where AWS operates with a partner. It is also the only geographic region where setting up servers with AWS is near impossible, unless given special permission to operate there. Now, this may seem a small detail, but it has very large implications for the “one web” idea.

On the flip side Douyin is the original, local version of the Chinese phenomenon, Tik Tok. They look the same, have the same features and are both owned by the Chinese company ByteDance. However, they are completely separate systems. There are many reasons why they are kept separate, but for the purposes of this article, we can see it as a sign that two internets already exist. Chinese users cannot access international content and vice versa, using the same App. Already we can see why this would be considered more boring at one end of the spectrum, and potentially devastating to the sharing of information and ideas that the “one web” has revolutionised.

These examples show that where data flows are restricted, the legal response involves compromises. That said, we think data privacy shouldn’t be seen as a hindrance. It’s more of a minimum standard that you promise to live up to for your users and/or employees.

As we heard from Sir Tim Berners-Lee, data flow is not only crucial to the usability and excitement of the internet, it is also fundamental to its power. Having two internets hinders the user experience and too much unnecessary data movement creates major privacy issues. Plus there is the risk of a 4% of annual global turnover in fines if it’s done badly.

The next few months will be very interesting for the EU, US and UK. We hope that decision-makers do not choose to play geopolitics with data flows. But if they do, we have some tested ways that businesses can work within the new rules. Whatever the outcome though, the internet will always find a way.