• Skip to main content
  • Skip to footer

FRA

Forensic Risk Alliance

  • About FRA
    • What We Do
    • Who We Are
    • International Expertise
    • Corporate Social Responsibility
  • Expertise
    • Forensic Accounting
    • Investigations
    • Corporate Compliance Monitorships
    • Disputes and Arbitration
    • Data Governance, Technology Solutions and Forensics
    • Technology Solutions
    • Digital Forensics
    • Data Analytics
    • Accounting, Audit and Regulatory Advisory
    • eDiscovery Consulting
    • Disgorgement, Gain and Ability to Pay Calculations
    • Compliance and Risk Assessment
    • Restructuring & Insolvency
    • AML and Sanctions
    • Mobile Discovery Solution
    • Securities Litigation
  • Results
    • A History of Success
    • Case Studies
    • Sectors We Serve
  • News and Insights
  • FRA Pulse
  • Careers
  • Contact
Webinar

Data Governance, Transfer and Protection Trends in Multi-Jurisdictional Investigations

October 2, 2019

A summary of FRA’s Webinar with Lexology, 10 September 2019

Since FRA’s inception 20 years ago, we have specialized in complex data transfer and privacy matters. From our first major engagement manoeuvring Swiss banking privacy constraints to find Holocaust-era accounts, to our current work advising clients on data governance in a GDPR world, our experts have accumulated a wealth of first-hand experience managing regulatory and internal investigations in an evolving global environment of data regulation. In this recent webinar hosted by Lexology, FRA founding partners Frances McLeod and Greg Mason and director Doel Kar share their perspectives on the impact of recent trends on investigations, tapping on their practical experience helping clients build customised solutions.

Navigating Conflicting Laws and Regulations, both Present and Future

The past few years have seen various data protection regulations emerge, some of which conflict with each other in certain areas. It may be insufficient for a company to focus narrowly on meeting the standards of the EU GDPR or US CLOUD Act if your business operates – or may one day operate – in jurisdictions where there are national (e.g. China Cyber Security Law) and even state laws (e.g. the forthcoming California Consumer Privacy Act) to be considered.

A multi-national company that wants to cooperate with an investigating authority in one place may fall foul of a different authority in the process, due to blocking statutes or industry-specific data restrictions. It is worth noting that enforcement agencies around the world are also grappling with the implementation of these emerging laws and regulations and may not be available to offer pre-emptive advice to the degree and urgency that a company might want.

Furthermore, there is a tremendous reliance on technology in companies of all sectors and sizes today. Cloud storage, user-generated data and remote working arrangements are a few examples of how business models today rely on technology, but such business should build strategies for managing the resulting complexity in data privacy and protection matters before an investigation arises.

For these reasons, building a completely compliant and future-proof strategy across multiple jurisdictions may be an unrealistic goal. Companies must strike a balance between respecting varying privacy regulations and being forthcoming with reporting requirements. The best starting point is to aim to develop a data governance plan that is largely compliant and defensible, documenting your decisions along the way, should they come into question further down the line.

Where do you start?

We advise our clients to adopt a multi-disciplinary approach when preparing their data management strategy – ideally well before an investigation arises. Choosing the right partners in designing this strategy will depend on factors such as the nature of the investigation, maturity of the company’s infrastructure and the jurisdictions involved. Our top priorities in guiding clients through this process are:

  1. Data mapping. A clear data strategy is vital to any company that has data that may reside in several jurisdictions. This is an area for collaboration between compliance and IT, possibly with the assistance of consultants who have expertise in this cross-over. The data mapping exercise can also serve as a risk assessment to help identify priority areas and resources.
  2. Collection and Preservation. A proper audit trail underpins a successful investigation at this stage. There may be sector-specific considerations as well. While some companies undertake this stage on their own for cost reasons, you need someone to validate that your process is forensically sound and will stand up under investigation.
  3. Training and Escalation. Protocols and processes must be defensible. We advise having appropriate counsel in each jurisdiction who understand the respective laws and regulations.
  4. Data Transfer Strategy. Consult and involve expert data privacy and transfer experts from the outset of any cross-jurisdictional investigation, weigh the risks of using untested or controversial data transfer mechanisms. Our advice to minimize chances of breaching future data transfer laws is to err on the side of caution and keep data within its jurisdiction of origin as far as possible.

As end-users of data ourselves, FRA always has an eye on emerging technology that could help investigations. Our Mobile Discovery Solution equipped with air-gap technology, for example, has been an essential innovation in many of our customized solutions for multi-jurisdiction investigations. As for the next generation of revolutionizing artificial intelligence tools, they will have to be calibrated with the expertise of people who understand best practice and stay abreast of the latest legal requirements and developments.

FRA Case Study

One of our most complex and innovative client solutions was designed before GDPR came into effect and has managed to satisfy various state secrecy laws, data privacy laws, national defence and intellectual property concerns. Read more here.

FRA is also undertaking a monitorship of a European company in which we developed different “data rooms” in order to be GDPR compliant – one in the EU where data will only be available for review locally with strict access rights and an automated trail), and another where the company can move necessary documents for reporting to the foreign investigating authority after redacting any personally identifiable information. Our approach has been validated by the relevant enforcement agencies.

Meet the Authors

Frances-bio-new

Frances McLeod

Founding Partner

Frances McLeod is a Founding Partner of FRA and head of its US offices. She is a former investment banker and has over 26 years of experience advising diverse clients […]

Read Bio
Greg Mason, data protection expert

Greg Mason

Founding Partner and Co-Head of Data Analytics

Greg Mason is a Founding Partner of FRA and Co-Head of the Data Analytics practice. His expertise lies in database architecture and programming, software design, mass data analysis, data mining, […]

Read Bio
Doel-Kar-new

Doel Kar

Director

Doel is a Director at FRA’s New York office. She has been a practicing attorney for over 18 years with significant experience as a compliance officer. She has developed compliance […]

Read Bio

Want to receive updates from FRA?

Join our Mailing List

London

Audrey House
16-20 Ely Place
London EC1N 6SN
United Kingdom
+44 (0)20 7831 9110

Washington, DC

2550 M Street NW
Washington, DC 20037
United States
+1 (202) 627-6580

Providence, RI

40 Westminster St.
Suite 500
Providence, RI 02903
United States
+1 (401) 289-0866

Dallas, TX

One Cowboys Way
Suite 470
Frisco, Texas 75034
United States
+1 (469) 604-0925

Paris

44, avenue George V
75008 Paris
France
+33 1 74 88 05 40

Canada

20 Place du Commerce
Nuns’ Island
Montreal, Quebec H3E 1Z6
Canada
+1 (401) 289-0866

New York City, NY

434 W. 33rd Street
7th Floor
New York, NY 10001
United States
+1 (646) 921-1865

Philadelphia, PA

727 Norristown Road
Building 8 Spring House
Innovation Park, Suite 206, Lower Gwynedd, PA 19002
United States
+1 (267) 405-9302

Stockholm

7A Centralen
Vasagatan 7
111 20 Stockholm
Sweden
+44 (0)7747 790232

Zurich Office/Datacenter

Richtistrasse 7
8304 Wallisellen
Switzerland
+41 79 755 4893
  • Privacy
  • Legal
  • Cookies
  • Modern Slavery Statement
  • Sitemap
  • Contact
  • LinkedIn
  • Twitter
© 2021 The FRA group in the UK comprises Forensic Risk Alliance Limited (number 3895636) and FRA Solutions Limited (5863958). Both are limited companies registered in England & Wales, and have their registered office at 3rd Floor, Audrey House, 16-20 Ely Place, London EC1N 6SN. The term partner is used to denote senior employees of the limited companies. All rights reserved.