We have found beliefs about managing data transfers can be broad and confusing since the EU General Data Protection Regulation (GDPR) was put in force in May 2018. Some believe no data transfers outside of the EU are allowed. Others believe if you have a legitimate business reason to transfer data, and an agreement with the customer, it is simply business as usual. The real answer often lives in between.
We will walk through the GDPR requirements for processing personal data to help you envision how the GDPR data transfer rules may apply to your organization and your customers.
What data may be considered personal?
The GDPR applies to “in-scope” personal data. The GDPR defines personal data differently than some other regulations and standards. As you are likely aware by now, personal data in the GDPR definition includes any information that can directly identify a person (called a data subject), such as name, address, age, gender, etc. However, the GDPR expands personal data to include otherwise innocuous information, when a person can be indirectly identified by a combination of one or more of those factors.
What does this mean to your organization? Do you collect an identification number and a zip code on an individual? Do you collect a mobile device ID and a group affiliation, such as membership in a specific industry association or social group? Do you track clicks by users of your website and capture the IP address of the user? Do you track cookie identifiers? Have you asked how the user found your website? In these cases, with a combination of this information, the potential exists that you can identify a person by combining factors. You need to assess the data you track holistically to determine whether, when gathered together, it rises to the standards of personal data under GPDR.
What processes may be in scope?
The GDPR applies to what you do with the data, regardless of whether you are a data controller or data processor. The GDPR generally applies if you are processing personal data in the EU. The GDPR may also apply in specific circumstances if you are outside the EU and processing personal data about individuals in the EU.
The GDPR applies to both processes that are automated and not automated. GDPR also defines in scope processes as being part of a filing system or intended to form part of a filing system for personal data.
Your organization performs many processes. In evaluating whether you are processing personal data, consider all the processes that surround your business services. This can include data acquisition, upload, migration, transformation, analysis, storage, recovery and archival. Don’t restrict your view to only those organizational processes for the core business services that you provide.
What qualifies as a data transfer?
The GDPR applies to any transfer of personal data undergoing processing or intended for processing after transfer to a third country or to an international organization. In evaluating whether you are transferring that data to process it, consider all geographies where your processes are performed.
The GDPR restricts transfers of personal data outside the European Economic Area (EEA), or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. These restrictions can include:
Restrictions on transfers include If you are sending personal data from inside the EEA – or making it accessible – to a receiver located in a country outside the EEA. (Consider even your “read-only” support model and geography when thinking about “making it accessible”.)
Restrictions on transfers include personal data to be held on servers abroad. (Consider your disaster recovery and archival plans too.)
Restrictions on transfers include emails or attachments sent to recipients abroad that contain personal data.
Restrictions on transfers to another company within the same corporate group are included.
When can your organization transfer personal data as defined by GDPR?
All transfers of personal data are unlawful unless within narrow exceptions. The following questions must be reviewed before attempting a restricted transfer:
Has the European Commission (EC) reached an “adequacy decision” about the country where the receiver is based?
Is the restricted transfer covered by “appropriate safeguards” (GDPR Article 46)?
Is the restricted transfer or set of transfers of personal data to third country or an international organization covered by one of the following conditions (GDPR Article 49 – Derogations):
1. Do you have the data subjects’ explicit consent to the restricted transfers after having been informed of the possible risks?
2. Do you have a contract with the data subject? And is the restricted transfer necessary for you to perform that contract?
▫ OR Are you about to enter a contract with the data subject? And is the restricted transfer necessary for you to meet the requested steps requested by the data subject to enter into that contract?
3. Do you have (or are you entering into) a contract with a data subject which benefits another data subject whose data is being transferred, and that transfer necessary for you to either enter into that contract or perform that contract?
4. Are transfers necessary for important reasons of public interest or to protect an individual’s vital interests? (Be careful that this is truly in exceptional circumstances and a limited number of data subjects.)
5. Do you need to make the restricted transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim?
6. Do you need to make the restricted transfer to protect vital interests of an individual? (He or she must be physically or legally incapable of giving consent.)
7. Are you are making the restricted transfer from a public register?
8. Are you making a one-off restricted transfer and it is in your compelling legitimate interests?
How can your organization maintain effective GDPR data transfer practices?
It is not enough to evaluate the data that you process and establish appropriate data transfer practices. Plan how to manage change in your business. Continue to evaluate the implications of the GDPR on a regular basis, with a frequency based on the amount of change experienced in your organization.
Like all regulations, you will need to monitor the GDPR itself for changes and expansions.
Also announced June 2019, the European Data Protection Board (EDPB) has plans to establish an accreditation or certification under the GDPR. You should watch for how this certification evolves so you can get certified in the criteria applicable to you.
Be sensitive that countries can be added to and/or can leave the EU or the EEA at any time. And new “adequacy decisions” can be made that add countries not in the EEA or the EU to the scope of GDPR. Be proactive and remain informed of the countries in scope for the GDPR and for data transfers.
GDPR.eu is a resource for organizations and individuals researching the General Data Protection Regulation. It includes a library of up-to-date information to help organizations with GDRP compliance. The Information Commissioner’s Office is the UK’s independent authority for upholding information rights and is also an original source of current information about the GDPR.
Check also with your legal advisor to assess the specifics of your industry, geographic reach and circumstances.