GDPR Countdown: Overseas Movements And Third Countries
GDPR changes the nature of who is deemed appropriate to receive data with regards to third countries. Data controllers and processors are deemed to have to abide by restrictions hence the reason you have received hundreds of emails from every cloud-based company looking to offlay their responsibilities back to you and your business (which, by the way, they can’t, but want you to think they can).
Like the passporting regime, it is the EU that determines who are the appropriate countries.The list therefore looks much like the scoring at the Eurovision Song Contest with the ridiculous situation that sending data to Argentina (Spain wanted it) is fine but sending to Australia or the US (UK wanted it) isn’t. The US has had two different attempts to address this concern; Safe Harbor(sic) & Privacy Shield. Safe Harbor failed and it looks as if Privacy Shield is about to go the same way. Not to worry though, all of this is unnecessary as long as you know how to establish your own adequacy. If only the industry could be given the same opportunity with passporting!!
Data is and always was global and available but now it isn’t? As data controllers and/or processors we have a duty to make data secure and to follow regulations but for who, where and when. The best to establish this for our own uses is to look at where data flows to and address each movement. These break down into 3 main categories.
1. Data you collect in the European Economic Area (EEA) and associated approved countries. The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway. Include in this countries or dominions that have adequate coverage and protection according to the EU commission (2nd countries). These are Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
2. Data you collect in the EEA and need to use outside (3rd countries)
3. Data you collect outside the EEA and may or may not process in the EEA
How to Navigate the New World
If you collect it and retain it and it never leaves these countries, you know to follow GDPR and you must make sure everyone you send to as a data processor also follows the rules of GDPR. If you collect it in the 2nd countries and send it elsewhere you don’t have to follow GDPR, but as this is best practice and its easier than running two operating models our advice would be to do so.
This is the area that most seem to be concerned about but can be mitigated very easily, if the rules are understood. There are two methods to apply - either contracts or Binding Corporate Rules (BCR) (we will discuss those and the most appropriate usage later). Bear in mind that if you are sending something between two countries in section 1, and the data passes (without being manipulated) through a country not in section 1, this isn’t considered transfer outside; it will be considered as remaining within.
If you collect it outside, it is not covered by GDPR. It does not matter if it is about any EU citizen. (this is probably the biggest scope mistake). If you then send it into the EEA it will be the responsibility of who receives it to follow the rules, as it will become data residing inside the EEA and the duty will be to process it lawfully. If you send it elsewhere then you are good to go, following the rules of the country you are in. The way data privacy legislation is being adopted, you will most likely find a large part of the GDPR and or Data Protection Bill (UK) will be adopted elsewhere. But be advised, it is best to think about one model for the future.
Methods of Transferring Outside
The most appropriate way is to have contracts between your organisation in the section 1 country and the other country. This will clearly state that the data sent from inside will need to be handled in the same way as if it is still inside i.e. compliant with GDPR. That means paperwork and lots of it again. Our suggestion would be to have a contract that everyone outside adheres to. If you are a business who has a head office in a third country, you will most likely be consolidating data outside. If this can be anonymised, do so, if it cannot (HR data for example), then the best way to do so is through contract.
This also works for third party contracts on a peer to peer basis. If you wish to deal with third parties outside your organisation you can use this method too, or you can adopt
Binding Corporate Rules.
BCRs are more effective when being used amongst collectives rather than a single organisation. Think of them as a standard that everyone will set and maintain between many companies rather than individual contract between your company and another. If you are involved in joint enterprise, joint marketing, consolidation, BCRs will be best used to give everyone a framework and make sure everyone understands their collective obligations.
“A data controller may only transfer personal data outside the EEA to a country whose data protection laws have not been approved by the European Commission as providing adequate protection for data subjects’ rights if there is an adequate level of protection for the rights of data subjects.”
The adequacy of the level of protection associated with a particular transfer may be ensured in a number of ways. The data controller can carry out his own assessment of the adequacy of the protection; or rely on one of the exceptions to the prohibitions on transfers of personal data outside the EEA. But most importantly, by setting up contractual obligations or BCRs and conducting a DPIA assessment your business can send data anywhere it wishes. It is important to recognise that you must maintain this, ensure it’s compliant and undertake audit/due diligence regularly. If it’s your head office, for example, you need to make sure that they agree not to send the data on elsewhere without approval or contractual basis.
Your business needs to maintain control.
The standards based Privacy Shield was a US attempt to create a standard for US companies that they could adhere to, so they wouldn’t need to have everyone conduct a DPIA every time they wanted to engage with a US company, but as one can see from my above descriptions of process it is deemed by most as overkill and as the EU changes its rules all the time, especially when dealing with the dreaded USA, it is difficult to adhere to.
The best thing to do with data collected anywhere is keep it where it is, but the fact is that this isn’t very practical, doesn’t aid efficiency and will likely increase costs. If it doesn’t need to move outside don’t do it unless the benefits outweigh the costs. As always, documentation is the key to success, but this doesn’t help maintain compliance, it only establishes it. Automation and transparency is once again the best way to monitor and maintain compliance. Evidence and control can be best established by connecting all components in your data flow within this. Most important for your business is to recognise the days of bulking up data and sending just in case are a thing of the past. Treat your personal data as separate, and distribute with care; and most of all, use the contract process effectively. Taking the decision yourselves always works better than allowing the authorities to decide.