International Data Transfers
The digital age presents plentiful opportunities to grow your business, but that exciting new partnership you’ve entered into could be negating all the hard work you’ve already done to ensure GDPR compliance.
The EU General Data Protection Regulation (GDPR) is in full force and you’re fully confident that you’ve done everything necessary to ensure complete compliance. Now, with data protection integrated into the very heart of your day-to-day operation, you’re once again free to do what you do best: Explore and implement new opportunities to take your business to the next level. In today’s digital economy, that may mean investing in cloud services to improve efficiency and lower costs or outsourcing certain services necessary to the growth of your business. Yet by doing so, you could unwittingly be in defiance of core aspects of GDPR surrounding international transfers.
The good news, is this:
It is entirely possible to still make the most of cloud-based and non-EU services whilst still ensuring frictionless compliance with GDPR. As experts in overseas data processing, Relentless Privacy and Compliance Services have helped scores of UK businesses to do just that. Here, we explain just why that profitable new partnership may be putting your compliance at risk and look at the safeguarding measures needed so that you can third-party services to their full potential without compromising compliance.
Third-Country Partnerships: What’s the Problem?
In this day and age, it’s hard to find an essential business service that can’t be delivered entirely via the cloud. Whether it’s data storage and website hosting or task-oriented solutions such as marketing, human resources or accounting. Whilst the benefits of migrating to such services can’t be understated, in most cases, doing so almost inevitably means transferring at least some customer or employee data over to a third party. It could be that you use cloud-based productivity tools to work on customer databases or spreadsheets, upload marketing lists to online email marketing tools, or use a cloud-based company to process employee records. Whatever the case may be, it will often be the case that this third-party provider is based in a country outside of the EU, usually -though not always- in the United States.
How Does This Impact GDPR Compliance?
The GDPR regulation places restrictions on transferring personal data outside of the EU to third countries or international organisations. Article 46 of the GDPR states that:
“A controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
In other words, if you’re working with, or paying for the services of, a company outside of the EU and no measures are in place to ensure that any personal data you transfer is protected to the same high standards imposed by GDPR, you could find yourself faced with some serious fines.
What Safeguards Need to Be In Place for International Data Transfers?
Fortunately, guidelines do offer a number of solutions for creating the required data protection safeguards. According to the Information Commissioner’s Office (ICO) which oversees GDPR compliance in the UK, these include
- Legally binding agreements between public authorities or bodies
- Binding corporate rules (agreements governing transfers between organisations within a corporate group)
- Standardised data protection clauses in the form of template transfer clauses
- Standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and Approved by the Commission
- Compliance with an approved code of conduct approved by a supervisory authority
- Certification under an approved certification mechanism as provided for in the GDPR
- Contractual clauses agreed authorised by the competent supervisory authority
- provisions inserted into administrative arrangements between Public authorities or bodies authorised by the competent supervisory authority
Let’s be honest, that can be a lot to get your head around, but things aren’t necessarily as complicated as they seem. Below, we’ll look at three possible options for ensuring frictionless compliance with GDPR when dealing with overseas data transfers.
The EU-US Privacy Shield
First enacted back in July 2016, the EU-US Privacy Shield is a set of seven key privacy principles augmented by 16 equally as important supplemental principles. Together, they govern the way that participating organisations collect and process personal data from EU subjects, as well as adequately protecting the data rights of EU citizens. Though organisations aren’t obligated to sign up to it, those who do are legally obligated to comply with it, with the US government declaring:
“Once an organization publicly commits to comply with the Privacy Shield Principles, that commitment is enforceable under U.S. law.”
The best part of this is that the Privacy Shield does provide adequate safeguarding measures for data transfer to US companies as it adheres to many of the same principles of GDPR including, but not limited to:
- Using data only for its intended purpose and only by those individuals for whom such use is absolutely necessary
- Using reasonable security measures appropriate to the level of risk involved
- Keeping data only for as long as is necessary
- Providing adequate processing notices.
Third Country Adequacy Arrangements
So far, so good, but what about services hosted by countries outside of the United States? That’s where third country arrangements, often referred to as adequacy decisions, come into play.
Under Article 45, the European Commission has the authority to determine whether or not a non-EU country provides an adequate level of data protection either via its own domestic legislation or any international commitments it enters into. So far, the Commission has recognised the following countries as having the necessary protection in place:
- Canada (for commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
- USA (restricted to Privacy Shield adherent organisations).
This arrangement serves as a sufficient safeguard, meaning that data can be transferred between your EU-based business and organisations in any of the above companies.
The ICO offers full details on Model Contract Clauses and the best ways to implement them, though if you’re still unsure about how to do so, we can help.
Relentless Privacy & Compliance are the UK’s leading experts on managing due diligence for overseas data transfers. Offering a range of bespoke solutions, we empower you to make the most of the wealth of business development opportunities presented by the digital economy whilst still ensuring frictionless compliance with GDPR.