Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
US data transfers... are they allowed? Well. Yes. It depends. ...it’s complicated.
Let’s get stuck in and I’ll explain all. In July this year, the EU Commission made an adequacy decision for the new EU-US Data Privacy Framework (DPF). This can be seen as Safe Harbor 3.0. Essentially, in most scenarios, data transfers from the EU to the US are now permitted without the need for other mechanisms such as Standard Contractual Clauses (SCCs).
Even before the Commission made this decision, activist organisations were strongly lobbying against it and warning that they would look to take the matter to the European Court of Justice (CJEU). Many, including a sizeable portion of MEPs, argue that the changes to safeguards surrounding intelligence access to data in the US have been minor and thus the privacy landscape does not afford adequate protection. However, in reality, there are material improvements in place so there is a distinct possibility that this time around, the system weathers the inevitable judicial action.
In the event that the CJEU agrees with the activists, it will be the case that a number of transfers between now and such time as that decision is reached, will effectively be unlawful. It is likely that in that scenario, a grace period will exist for existing activities while people work on implementing an alternative mechanism for bringing the processing back to the EU.
To avail of the mechanism, US businesses are required to self-certify. These means that it is not a scheme that applies by default and requires a certain amount of work both on the US side of the transfer and the EU side where this needs to be checked. You can find more info about that here.
The short answer: it’s all about state access to data. It’s no secret that US intelligence powers are robust and that many would wish to see greater safeguards and judicial oversight. However, these powers are not all that different from current or draft laws in place in a number of European countries. The new DPF relies on assurances from the US, which are backed by an executive order, that their intelligence powers will only be used in exceptional circumstances and that there are safeguards in place to prevent overreach. As part of this, a redress mechanism has been established. Only time will tell how effective these changes and assurances are.
After the release of a number of statements about US data transfers, the UK government finally adopted the UK-US Data Bridge in October 2023 So, what does it mean for UK transatlantic data flow?
Well, the Data Bridge is essentially an adequacy decision adopted by the UK Government. It allows UK organisations to transfer individual’s personal data without making extra efforts. It is affirmed as an extension of EU-US Data Privacy Framework where the US companies commit to specific privacy rules when dealing with personal data of the EU individuals. As a result of the Data Bridge, the same rules apply when they receive personal data of the UK individuals. So, US companies certified under this framework can easily and securely get data from the UK. But it is important to note that not all US organisations fall under the UK-US Data Bridge. Only US companies certified and within the jurisdiction of US Federal Trade Commission (FTC) and US Department of Transportation (DoT) have are covered. Companies which do not fall under this scheme can still rely on existing safeguards of standard contractual clause (SCC) and Binding Corporate Rules (BCR).
An interesting note whilst I’m here: the UK – US data bridge does not provide several rights that are in the GDPR: the right to be forgotten, the right to withdraw consent, and the right in relation to automated decision making and profiling. All of which means that it doesn’t offer similar level of protection to data subjects as granted by the UK GDPR.
Make sure you’re on top of your GDPR legal requirements with support from Bulletproof’s expert GDPR consultants.
There is no blanket ban on data transfers from either the EU or UK to the US, and under GDPR, there never has been. There are a number of approaches to enabling transfers to the US, most commonly used are the Model Clauses (EU SCCs, UK International Data Transfer Agreement (IDTA), or SCCs with UK Addendum) and now the EU-US Data Privacy Framework and UK and US Data Bridge. Following the Schrems II case, these remain valid but require some additional safeguards such as encryption, security procedures, etc.
Another key route is the use of Binding Corporate Rules (BCRs). BCRs remain burdensome to gain approval for and for most businesses are out of reach. The time from commencing the journey to adoption and receiving approval is generally measured in years. While they are considered by regulators such as the ICO to be the gold standard, they require a hefty investment of time, work and money. Throw in the need to go through the process not only with the UK authorities but the EU ones as well for those businesses operating in both the UK and EU, and you can see why for the overwhelming majority of businesses, the benefits of eased data flows are insufficient to recoup that investment.
To make things more complicated, in some jurisdictions, within certain data in specific sectors, SCCs were not considered sufficient by their local regulators even with additional safeguards. For instance, some effectively banned US-managed (even with EU storage) cloud applications for the management of children’s health data. In other cases, optional processing such as analytics, required consent where such data would be accessible from the US.
Do you? That sounds like a flippant response, but in all seriousness, the first thing to check is whether it’s actually necessary for your business objectives. The answer to this question is probably going to tell you which compliant mechanism is most appropriate as well. For instance, if it’s a one-off to help out a former employee that’s moved to the US, an Article 49 derogation might be more appropriate. For the long-term use of a data processor, often one where a comparable service is not available domestically, they may already have BCRs in place, otherwise either SCCs or IDTA would likely be the more relevant approach. And if the answer is that you can achieve the objectives without making the transfer, it’s unlikely that the benefits would outweigh the extra risks.
For now, it’s advisable to be open to questions on the safeguards in place, the use of model clauses such as SCCs, and consider updating terms and paperwork to reflect the adequacy decision for EU customers. If you operate globally with large volumes of customers and of their data, you may wish to consult a privacy expert to help you to consider whether BCRs may be a good fit. These may be used to facilitate transfers to other operations globally (with a few exceptions due to sanctions and conflict). For instance, if you are headquartered in New York but have significant operations in Hong Kong, Dubai, Paris, London, and Sydney, BCRs could help you remain compliant while working seamlessly across borders.
If you’re processing (either as a controller or processor) personal data relating to people in the EU, it would certainly be advisable to read up and get more detailed advice on how to self-certify under the scheme. More information can be found on the US Government’s website for the scheme.
To circle back to my slightly facetious intro, EU-US transfers and UK-US transfers are now easier than they were before, but it’s unknown for how long that will be true. You can still transfer data to the US, but doing so in a compliant way still requires some paperwork and sometimes consent while in some sensitive areas.
Even though organisations using the UK-US Data Bridge are exempt from the adoption of standard contractual provisions, the UK addendum, and International Data Transfer Agreements... they still need to implement additional changes to allow the transatlantic flow of data. They must make sure that the US entity receiving the data is both a current participant in the DPF list and has signed up for the UK extension to the EU-US Data Privacy Framework. And when dealing with the transfer of HR data, it's essential to ensure that the organisation's DPF commitments explicitly cover HR data.
When making international transfers, it’s important to make sure that your paperwork is in order. This will include your Records of Processing Activities (RoPA), internal data protection policy, any contracts and agreements involved, your privacy notices, and potentially few others too. And nothing in SCCs, BCRs, the UK-US Data Transfer Bridge gets you off the hook for doing your basic supplier due diligence.
Easy, right? Okay maybe not. If you have any questions, concerns, or doubts about these, check with your Data Protection Officer. If all of this sounds interesting but you’ve no idea what it all means, then I recommend you talk to an expert straight away. It might even be me you get.
Thanks to Rebecca Bada and Isha Mishra for their help in creating this article
Richard is a seasoned senior GDPR and data protecton consultant who uses his experience in GDPR compliance to write with passion and insight on GDPR and data protection. Heading up Bulletproof's GDPR team, he makes sure that our services and individual data protection consultants are all at the top of their game.
Bulletproof’s seasoned data protection officers are on-hand to make sure you’re working and efficiently as possible whilst meeting your data protection obligations.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.