An update was published by the United Kingdom (UK) Information Commissioner’s Office (ICO) to its guidance on international data transfers from the UK to other jurisdictions taking immediate effect. This new UK guidance includes new sections that apply to international transfers from the European Economic Area (the 27 EU member states plus Iceland, Liechtenstein, and Norway).
In this post, we will briefly discuss some of the newly introduced sections in the guidance to help have a better understanding and companies are advised to abide by them.
- Determine the Legal Basis for Data Transfer
Businesses must first establish the legal grounds for transferring personal data outside the EU. This may include fulfilling a contractual obligation, complying with legal requirements, or serving the business’s overriding legitimate interests.
- Receive consent
It may be necessary in some cases to obtain the explicit and unambiguous consent of individuals before transferring their data outside the EU. For instance, It is mostly necessary for sensitive data, such as health or financial information.
- Utilize an approved data transfer mechanism
There are numerous approved mechanisms that businesses can use to transfer data outside the UK, including standard contractual clauses (SCCs), binding corporate rules (BCRs), and codes of conduct.
Certain countries, such as Canada and Japan, have been recognized by the EU Commission as providing a level of data protection equivalent to EU standards. Selecting the appropriate transfer mechanism should be based on the specific circumstances of the data transfer.
- Risk Assessment
Businesses must assess the risks associated with the transfer before going ahead to transfer any personal data outside the UK via a Transfer Impact Assessment (TIA). A TIA is a critical step in the process of transferring personal data outside the UK. It involves analysing the potential risks associated with the transfer and determining the appropriate measures to mitigate those risks if any.
That includes evaluating the laws and practices of the destination country, the type of data being transferred, and the potential impact on individuals, including any additional protections that may be needed.
It is worth noting that an organization making a transfer to any country covered by UK adequacy decision list regulations or covered by an exemption (i.e., emergency situation, someone’s life, physical or mental health, or well-being is at serious risk, and they cannot obtain the consent of the person the data to be transferred is about, because they are unable to give their consent) is not obliged to carry out a TRA.
- Implement Adequate Safeguards
If the Transfer Impact Assessment (TIA) identifies risks related to the data transfer, businesses must put in place suitable safeguards to protect the data. These may include standard contractual clauses, technical measures like encryption, or organizational controls such as restricted access rights.
- Establish Data Processing Agreements
When transferring personal data to a third party outside the UK for processing, it’s crucial to establish an international data transfer agreement or a data processing agreement (DPA) that clearly defines the responsibilities and obligations of both parties. If using Standard Contractual Clauses (SCCs) as the transfer mechanism, these contain all necessary provisions for compliance, making additional agreements unnecessary.
- Keep Individuals Informed
Individuals have the right to be informed when their personal data is transferred outside the UK. This includes details about the destination country, the purpose of the transfer, and the safeguards implemented to protect their data. Typically, this information is provided through privacy notices on websites or apps.
- Conduct regular reviews
It is crucial to regularly review and monitor the regulations on the transfer of personal data outside the UK to ensure that it is still compliant with EU data protection laws. This points to re-assessing the risks, the appropriateness of the transfer mechanism, and the effectiveness of the safeguards in place.
This also means staying up-to-date on developments in EU data protection laws and guidance from the EDPB, as these may have an impact on the transfer of personal data outside the UK. If any gaps are revealed during the reviews, policies, and procedures should be updated immediately to effect the changes.
Conclusion
By following these steps discussed above, businesses can ensure that their data transfers outside the UK are conducted in a manner that protects the personal data of their customers as well as employees and complies with EU data protection laws.
Feel free to contact us for a free consultation on data transfer and protection. We offer other services ranging from real estate, drafting data processing agreement, family law, immigration, Anti-money laundering and a host of others.
We at eLegal Consultants are ready to journey with you to actualize your dreams. Contact us today.
