International Transfers – GDPR

Organisations are increasingly operating on a global scale, in which the international transfer of data is often an essential element of their daily business operations.  Whether it be storing customer personal data in a cloud service that is hosted abroad, or safeguarding employee records in another country, in today’s digital landscape, we are more connected than ever before.

The Data Protection Act says that:

“Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

The GDPR makes a clear distinction between countries outside the European Economic Area (EEA) with an ‘adequate’ level of protection of personal data and countries considered to have ‘inadequate’ levels of protection. Under the new legislation, the transfer of data to an ‘adequate’ country is fully permitted and legal, without the need for consent from a supervisory authority. Countries that have been selected by the European Commission to exist within this bracket are currently Argentina, New Zealand and Switzerland, to name a few. For EU companies fortunate enough to be transferring data solely between ‘adequate’ countries, the necessary changes will be minimal; as anticipated however, the list of adequate countries is currently limited.

For data transfer to occur with ‘inadequate’ countries, the GDPR has enlisted several possible safeguards that organisations can implement, to ensure that the rights of data subjects will be appropriately protected. Of these safeguards, the two best known are: binding corporate rules, and model standard clauses.

Binding Corporate Rules explained (BCRs)

BCRs is a mechanism whereby an organisation can set out its global policy on the international transfer of personal data within that corporate group, i.e. the laws of the country of origin, exist for the organisation globally. While this is not a new concept, the GDPR is expected to offer more streamlined regulations, greater legal certainty and more information to ensure that companies are better equipped to understand what is expected of them. Under this legislation, companies will be subject to a more stringent approval process, coordinated by the Data Protection Authority in Europe.

It is important to note that the initial investment of gaining approval can be costly, both time wise and in monetary value. This is because companies must regularly prove their compliance via frequent data protection audits and data protection training for all personnel with access to personal data; a complicated process, requiring heavy investment. For large multinationals, however, this is generally understood to be the most comprehensive way to comply with GDPR data transfer regulations.

Overall, BCRs are considered to be hugely beneficial. Not only are they likely to stimulate a privacy-aware culture within an organisation, but given that they are drafted widely enough, they also allow for significant flexibility. It must be reiterated, however, that BCRs do not safeguard international transfers outside of the corporate group.

Standard Model Clauses explained

While BCRs are only applicable to inter-business data transfers, standard model clauses offer a solution to businesses that need to transfer their data externally to other organisations. Essentially, Standard Model Clauses are contracts approved by the European Commission, that can be adopted for the transfer of personal data.

While clauses already exist today, the GDPR introduces the possibility for local DPAs to draft model clauses. In order to validate these Model Clauses, a signature is required from the organisation sending the data and the organisation receiving it, assuming that the data importer can comply with the stipulated provisions in the agreement. It is therefore suggested that Model Clauses are not used by larger organisations, as they often impose heavy administrative tasks and little flexibility.

These Model Clauses are expected to form part of a certification scheme and provide a simple way for companies to ensure that they comply with the GDPR. There have, however, been significant concerns raised as to whether Model Clauses can sufficiently protect personal data. Considering the rapidly changing environment that businesses operate in today, companies are therefore advised to be ready to adapt if needed.

Alternative Solutions

While BCRs and Standard Model Clauses are currently the most common solutions to international data transfers in compliance with GDPR, it is essential to note that there are other solutions available. In brief these include:

Approved Certification Mechanism- This is a method of demonstrating that a company complies, by showing that they are implementing technical and organisational methods.  These are intended to allow individuals to quickly assess the level of data protection.

An approved code of conduct- Codes of conduct may be created by trade associations or representative bodies. While signing up to a code of conduct is not obligatory, it is a suitable method of demonstrating that a business complies.

Ad-hoc contracts approved by a competent supervisory authority

Derogations– exemptions from the GDPR made necessary for legal claims or defences

Self-Assessed Adequacy is a situation in which the business will need to be satisfied that there is an adequate level of protection for the rights of the individual whose personal data is being transferred. It is essential to consider several factors when making this decision.

While international data transfer in compliance with GDPR may appear to be heavily admin based, it is generally accepted that it will have a positive impact on organisations. We can conclude that large organisations with a complex web of processing activities may be more likely to opt for BCRs, given their global impact and additional legal certainty. Alternatively, organisations with a more limited network of international transfers, may choose to adopt model clauses.

Next month we will be providing insight into the Enforcement aspects of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: cyber@safeonline.com