The Europe-wide General Data Protection Regulation (GDPR) comes into effect from May 2018. Over the past few weeks, we’ve looked at various aspects of the GDPR, as it will affect your organisation and your rights as an individual. This week, we look at transferring data outside Europe.
GDPR personal data: always make sure there are privacy safeguards
If an organisation has a large amount of data it wishes to process, it will sometimes consider outsourcing that task. For most organisations based in the UK, there are few times when they would transfer such personal data to third parties in countries outside Europe for such business purposes. It’s certainly not something that we do here at CAS. However, some organisations do transfer personal data, and it’s worth knowing your rights as an individual.
Transferring data outside Europe
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third-party countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined. (As with much of the GDPR, this strengthens and codifies the UK’s existing Data Protection legislation). The GDPR limits an organisation’s ability to transfer personal data outside the EU where this is based only on that body’s assessment of the adequacy of the protection afforded to the personal data. Ideally, transfers may be made where the European authorities have decided that a third country, a territory in that third country or an international organisation ensures adequate safeguards for the protection of data.
Individuals’ rights must be enforceable and effective legal remedies for people must be available in the country in question following the transfer. Some examples of ‘adequate safeguards’ include a legally binding agreement between public authorities or bodies, or binding corporate rules (such as agreements governing transfers made between organisations within a corporate group headquartered outside the EU).
For countries where the European Commission has made no ruling that there are adequate safeguards, personal data may still be transferred to those countries under certain specific circumstances. These include where the transfer is not being made by a public authority in the exercise of its public powers, involves data related to only a limited number of individuals, or is necessary for compelling legitimate interests of the organisation.
Transferring data: get consent and have a reason
As with other aspects of the GDPR, an individual’s consent is paramount. The transfer of data may be made where it is enacted with the individual’s informed consent, or is necessary for the performance of a contract between the individual and the organisation taken at the individual’s request. There are however exemptions for important reasons of public interest (for instance, sharing passenger name record information on transatlantic flights), or for the establishment, exercise or defence of legal claims.
An organisation must ask itself first whether it needs to transfer personal data abroad at all. For instance, it may be able to achieve its objectives without processing personal data at all, by anonymising the data. The UK’s data protection authority, the Information Commissioner’s Office (ICO) will be publishing guidance on the revised rules for data transfers (as it is doing with all things GDPR).
Our next GDPR blog will look at what to do if things do go wrong with data protection – and minimising the potential damage to your organisation if they do.
CAS is fully compliant with current data protection regulation, and we’re future-proofed for the new GDPR regime. Whether it’s our document storage or scan-on-demand services, we’ll keep your data safe and secure. And if you use our office removal and data disposal services, data protection is always a primary consideration for us. Call one of the CAS team now if you’ve got any questions about any of our services.
If you’d like to find out more about our document storage facilities, or our range of digitisation services, then please contact our specialist team on 0845 50 50 003, or email [email protected].
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed. CAS, offering 20 years of secure document storage in London.