TikTok, the Chinese-owned video-sharing app, has been facing much scrutiny from authorities within the US, and the UK for how it manages data transfers and access privileges. This comes to light as the platform disclosed to users that employees in China have access to data in the EU and UK. The news of such practices sounded the alarm of the FCC, the UK parliament, and global watchdogs with the fear of data being accessed by the Chinese government.
TikTok’s Approach to Data Protection
In a recent BBC article, Elaine Fox, Tik-Toks European Head of Privacy, said, “We allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data.” This statement has undoubtedly sounded the alarms surrounding data protection best practices for data access and cross-border data transfers.
But Ms. Fox has also stated, “Our efforts are centered on limiting the number of employees with access to European user data, minimizing data flows outside of the region, and storing European user data locally.” She also mentioned that TikTok’s approach was “subject to a series of robust security controls and approval protocols and by way of methods that are recognised under the GDPR (General Data Protection Regulation).”
The Right Method for Compliance
Since 2018, organizations have been tasked with following strict data protection requirements necessary for compliance with GDPR (General Data Protection Regulation). Specifically, Chapter 5, Article 44-50 covers the management of data transfers, such as general principles, adequate basis, safeguards, and international cooperation.
While GDPR Article 32 requires businesses to implement organizational and technical measures to ensure a high level of data risk security, which includes explicitly incorporating appropriate access control measures. In this case, access control guarantees that employees’ identities are validated and that the user has appropriate access to company data.
The current approach for TikTok is a suitable method for resolving issues with data protection as it relates to meeting the requirements for managing data transfers and the implementation of data access controls. The methods defined by Ms. Fox align and should be recognized by GDPR as a data protection strategy to combat potential privacy risks. Still, with an audit, it would be easier to assess TikTok’s level of compliance.
How Can BigID Help with Data Transfers and Access Controls
BigID enables organizations to meet regulatory expectations and manage data protection with an automated, scalable approach to discovering, classifying, and collecting all personal information. Extensive data discovery that inventories all data across the entire IT landscape is critical to aligning data to regulatory policies for data privacy and protection. With BigID, organizations get the following:
- Deep Data Discovery: BigID helps to build a cohesive data inventory to discover, map, and classify data to better prepare for regulatory audits.
- ML-based Data Access Management: For complete compliance, BigID helps mitigate risk with significant open-access requirements to remediate file access violations across data environments.
- Validated Data Transfers: Create policies and assign residency to data sources and individuals’ data to enforce data residency requirements and monitor and alert on data transfers.
- Effective Remediation: BigID helps to define the remediation actions to provide audit records with integration to ticketing systems like Jira for seamless remediation workflows.