As the GDPR and the Data Protection Act 2018 approach their 5-month anniversary it is crucial that businesses minimise risk by continually monitoring how the ICO implements the legislation and evolving compliance strategies accordingly.
This is the first of a series of articles keeping you up-to-date with the ICO's implementation activities and outlines next steps which in-house counsel should consider taking as a result. This month we take a look at international data flows.
International data flows
Under the GDPR international personal data transfers are restricted unless an "appropriate safeguard" is in place. Appropriate safeguards include:
- Adequacy decisions. Certain countries outside the EEA feature on the European Commission's list of countries that are designated as having adequate data protection frameworks in place to sufficiently protect personal data.
- Model Clauses. The most common alternative to an adequacy decision, businesses transferring personal data overseas may enter into a standard form agreement developed by the European Commission to legitimise the transfer.
- Some countries have in place protocols which may be relied upon to legitimise international transfers, e.g. the EU-US Privacy Shield protocol.
- Binding Corporate Rules. International group structures may agree a common code of conduct approved by the ICO for making intra-group data transfers.
The ICO is currently, in its own words, looking to 'prioritise international engagement on issues related to global privacy risks arising from the application of new technologies', under the 7th of their 8 Technology goals. We have seen various recent developments:
- The ICO reported on the European Data Protection Board plenary meeting in September, which focused heavily on cross-border data protection.
- The ICO's recently published Technology Strategy 2018-2021, which forms part of their wider Information Rights Strategic Plan for 2017-2021, also addressed international data processing.
You can find out more about these reports on the ICO's blog. This activity suggests that the ICO will be taking a closer look at organisations' basis for international transfers.
- The ICO has just published some new guidance. Ensure that you are up-to-date with the ICO's views on compliance.
- Review international data processing arrangements for GDPR compliance e.g. any international outsourcing, cloud hosting or subcontracting agreements and any intra-company agreements within an international group structure.
- Determine which of the appropriate safeguards listed above are in place to legitimise the international transfer and consider whether these safeguards come up to the standard identified in the ICO's guidance.
- Maintain records of the international data flows and the compliance strategies in place.