Countdown to GDPR #6: Data Transfers

To prepare for the upcoming GDPR we’re doing a series of blogs about key regulations and ways to be compliant with them. GDPR is closing in, and we’re close at its heels having crossed the halfway mark on our GDPR Countdown. At #6 we examine the GDPR’s impact on Data Transfers.

The Chapter Explained

An entire GDPR chapter is devoted to Data Transfers to “third countries or international organisations” — those outside of the European Economic Area (EEA).

Here’s a quick summary:

  • Chapter 5 of the GDPR, ‘Transfers of personal data to third countries or international organisations’, lays down conditions for data transfer only if “adequate levels of protection” Article 45(3) and “appropriate legal safeguards” Article 46 are ensured, as deemed by the GDPR.
  • Article 47 of the GDPR also lists “binding corporate rules” that must be approved for intra-company data transfers.
  • In the absence of an adequacy decision, or of appropriate safeguards, derogations are permitted under special situations such as explicit permission given by the data subject.
  • Transfers in violation of the Regulation attract hefty monetary fines.

GDPR Data Transfers

How do I Achieve Compliance?

Organizations that have global teams or databases and IT services that are remote, online and/or cloud-based will need to ensure that their data transfer mechanisms are compliant with the GDPR. In the increasingly global enterprise, that could mean most of us will be impacted, and it is better to review not only procedures for data collection, but also for data transfers.

Some Key Pointers:

  • Review all existing data processing, transfer and storage mechanisms. Particularly examine cases where data is transferred to a non-EU country.
  • Ensure that data is transferred or stored only in non-EU countries that are covered under GDPR’s “adequacy protection”. For more information check this list.
  • Multinational companies should also ensure that they have GDPR-approved “Binding Corporate Rules.” These should contain privacy principles and audit handling provisions and “an element proving that the rules are binding across the organization.”
  • Data transferred between the US and EU must comply with the EU-US Privacy Shield.

What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below.

Read the entire Countdown to GDPR series to date:

Part 1: Right to Be Forgotten
Part 2: Privacy by Design and by Default
Part 3: Designating Data a Protection Officer (DPO)
Part 4:  Customer Communication and Experience
Part 5: Data Security and Privacy Policies

Stay tuned for my next blog on Data Privacy Impact Assessments.

Spanning Compliance and GDPR

GOT SOMETHING TO SAY?