Oliver Price’s Weekly GDPR Blog #10 – Don’t Panic, Keep Calm and Export Data Overseas
This week I spoke to two animated business groups - Inspire Chambers of Commerce Elevate group and also the Goldman Sachs 10,000 Small Business Program Cohort 5 at Oxford University. Both groups asked about data transfers, that is when data that you are processing goes outside the UK. This can happen for a number of reasons, including as a result of cloud computer arrangements and so I explain the basics here.
Broadly speaking, data can be transferred outside of the UK safely and within the requirement of the GDPR. There are four circumstances where this can happen lawfully. First when the EU has made an “adequacy decision” in respect of the destination country, the second when the transfer is subject to appropriate safeguards, thirdly when the transfer is between members of a group of companies or enterprises who have adopted data transfer rules and fourthly, specific situations where derogations i.e. exceptions apply.
Adequacy findings have been made by the EU in respect of Switzerland, Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man, Argentina, New Zealand, Uruguay. They also exist for Canada and the United States but those two countries are partial and there are exceptions for certain business sectors.
The GDPR states that appropriate safeguards can be provided by contractual clauses between data controllers or processors or by binding administrative arrangements made between government bodies.As for binding corporate rules, these need to be recorded and clear mechanisms properly supervised to ensure data is transferred safely.
A significant impact of these transfer rules is about cloud computing arrangements. I repeat the encouragement that I have made on all my courses to businesses to speak now with cloud service providers about the arrangements they have made for hosting data. This can provide reassurance in the case of cloud providers who have got their head round the GDPR and in certain cases that have come to my attention, contracts for hosting data have been brought to an end. All IT service providers need to be ready to prove that they are going to comply with the international data transfer rules and well in advance of the 25 May 2018.
Last updated 14/12/2017