23 May 2017

Data privacy: Transferring data outside the EEA

If you share personal data about EU citizens outside the EEA, you should be aware of the changes to the Data Protection laws coming in from May 2018.

The General Data Protection Regulation (GDPR)

Business leaders should be aware of the upcoming changes to the Data Protection laws from May next year, with the implementation of the EU’s General Data Protection Regulation (GDPR). If you share personal data about EU citizens outside the EEA then this is an area you should be thinking about, particularly as the penalties for non-compliance after May 2018 will be up to 4% of global revenue or 20 million euros.

These rules do not just apply if you are sharing data with a third party, such as an outsourced service provider or a cloud provider. You also need to consider the international data sharing rules if you are sharing information within your organisation but outside the EEA, for example, if you are part of a multinational group that holds data on UK individuals in the US.

Understandably, many of our clients are concerned about the new rules and what it means to their business, with some saying that they ‘cannot transfer data outside the EU’ due to ‘data protection’. However, the rules are very flexible, and as long as you understand and apply the principles behind them, most data transfers should be possible. The key is to protect the data you control, and where it is transferred to, in order to ensure you comply with the new GDPR standards.

What do you need to do to comply?

The EU has taken the view that a number of countries already have adequate data protection regimes in place. As such, if data is being shared with these countries, there are no further requirements to comply with other than those of the GDPR. What do you do if you want to transfer data to a country that perhaps doesn’t have adequate regimes in place though?  

In this situation, GDPR states that ‘acceptable safeguards’ must be put in place, and there are a number of measures that can be taken in order to do this. A common approach is to adopt ‘Binding Corporate Rules’, which are personal data protection policies enforced between a defined group of organisations and approved by the Information Commissioners Office (ICO) (in the UK). Another approach is to transfer to organisations that comply with the approved certification mechanism. To help you do this, you can refer to the EU-US Privacy Shield, which recognises those organisations within the EU that have ‘adequate’ protections in place. In addition, there are a range of circumstances that often allow an organisation to transfer personal information outside the EEA without meeting these conditions. One of these can be to simply explain any risks to the data subject and obtain their consent.

The ICO’s own guidance states that excessive caution can be as bad as carelessness. Compliance with GDPR is about protecting the interests of the people whose data you hold, not about restricting how you do business or indeed how you operate and provide services to those people. Careful consideration of the data you hold, how it is stored, who you share it with and how you protect the interests of the data subjects will often be enough to enable you to comply with GDPR and use the data in a way that benefits your company, as well as the data subjects.

If you have any questions or concerns on your compliance with these new data protection rules, please do not hesitate to get in contact and we’ll be happy to put your mind at ease. 

Bookmark and Share