February 1, 2023
As part of an interconnected and widely changing global market, it's likely that your company needs to send data abroad to conduct many of its daily business activities. After the implementation of the UK GDPR, many of these transfers are likely to be considered a 'restricted data transfer'. Here is all the information you need to continue sending data abroad under the new regulation:
Is the data transfer you are making a restricted transfer?
If your company is sending data to a receiving country that is not covered by the UK GDPR but the data you are transferring is, then you will be making a restricted transfer. If the receiver is a legal entity that is separate from yours, even if they are in the same corporate group, this will still fall under a restricted transfer.
If however you send personal data to an individual that is employed by your organisation but they are in a separate country, this would not be considered a restricted data transfer as you are not sending data outside of your own company.
Is the country you are transferring personal data to covered under adequacy regulations?
An adequacy decision means that the country you are transferring data to is deemed to have the same standard of data protection and legal framework as that covered by the UK GDPR. In these instances, you would not need to worry about implementing safeguards and can transfer between these territories freely. An adequacy regulation simply sets this fact out in law.
Below is a list of countries and territories the UK currently has adequacy regulations for:
Full adequacy decisions:
Partial adequacy decisions:
What happens if the country I am transferring personal data to is not on that list?
Here is where you are expected to implement the ‘appropriate safeguards’ that will allow you to transfer personal data to another territory outside of the list.
The available safeguards within your arsenal are as follows:
1. Legal instruments made between public bodies that contain ‘appropriate safeguards’
Whilst the UK GDPR does not define what a public body is, it usually describes governmental bodies that undertake certain measures that are for the public interest. An ‘appropriate safeguard’ under this would allow for ‘enforceable rights’ and ‘effective remedies for the individual whose data is being transferred.
This may be easier to implement if the country you wish to transfer personal data to has these legal and enforceable instruments already in place.
Not all territories would have these agreements in place and so may not be utilised for your chosen territory.
2. UK Binding corporate rules (UK BCRs)
They are internal codes of conduct which apply to multinational groups. For larger corporations, it is more common to adopt binding corporate rules (BCRs) as they are suited for international transfers between separate entities within the same organisation and thus better suited to global businesses.
It is globally recognised as a high standard for compliance and is useful in adapting to the changing needs of your company. It is a good way to evidence accountability and a good model that can be utilised for many purposes.
There is a demanding approval process and the lack of resources from the regulators can impact the approval process and cause delays. It is also more technical than Standard contractual clauses and thus requires sufficient internal resources within your organisation.
3. Standard Contractual Clauses (SCCs)
The most common for SMEs are Standard contractual clauses (SCCs) which are contracts that have been pre-approved by the EU that allows a company to continue transferring data between the EEA after the UK leaves the European Union. This is only the case where SCCs provide for “essentially equivalent” protection as in the EEA and the ICO has a useful tool for SMEs to determine whether this is the right form of safeguard for your organisation.
Largely standardised clauses available without the need for significant amendments. It is pre-approved, can be relatively straightforward to file and is also suitable for one-off transfers.
Standardised wording comes with problems of adapting the clauses to specific transfers and the evolving needs of the company. There is also a risk of non-observance by data importers and is subject to further administrative requirements in most of the EU.
A contract between your organisation and the receiving entity that has been created specifically for restricted transfers and which must also be authorised by the ICO.
Will allow for the transfer of certain restricted data that is tailored to your organisation’s needs.
A contract will require further resources to ensure that its drafting is legally enforceable and that it meets all the relevant criteria set out by the ICO.
Full information on the pros and cons of each safeguard here
Perform an Impact Assessment before making restricted data transfers
The ICO recommends conducting a transfer impact assessment whereby you must satisfy yourself that the safeguard you have chosen is adequate in protecting the personal data of your data subjects and that the safeguard is compatible with the legal framework of the destination country.
If by the end of the assessment you require further safeguards as the one you have picked appears inadequate as a standalone, you may include further measures.
How Privasee can help
The Privasee platform can help you store and map your organisation’s data so that you know exactly what data you have, how long you have had it for and who it relates to. This can help you better understand where your data is located and any red flags within your data storage that you should become aware of. It also makes international data transfers a lot simpler: understanding the data you hold and where they are located will allow you to identify the data that needs to be transferred elsewhere, be it within the UK or internationally. Our platform can also help you keep track of the safeguards you are using for these transfers and will help you identify which one might be best.
Are there any exceptions?
If the restricted data transfer is not covered by appropriate safeguards, you will need to consider the below ‘exceptions’ under Article 49 of the UK GDPR that will still allow you to make a restricted transfer:
Protecting vital interests
One-off legitimate interests
Further information on the aforementioned exceptions can be viewed on the ICO website.
We hope this article can help you better understand what is expected of your organisation when you are making an international transfer and simplify some of the concepts identified by the ICO. More information can be found on the ICO website on conducting international transfers and full details can be found here.
Privasee does not hold the above article to constitute legal advice in any form.
Sources and further resources
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.