In today’s rapidly evolving digital landscape, transferring data across borders has become a complex and crucial consideration for UK IT professionals and contractors.
Gone are the days when a Data Transfer Agreement could be swiftly reviewed by a lawyer and put into action.
The introduction of the General Data Protection Regulation (GDPR) and the Schrems II ruling has dramatically altered the landscape; imposing restrictions on transferring personal data to countries outside the European Economic Area (EEA) that don’t meet the equivalent level of protection mandated by the GDPR.
To meet the current requirements, processors must provide technical and organisational measures to the IT function. This allows IT professionals to assess whether the proposed security measures are sufficient to ensure the safety of personal data during the transfer process.
In essence, a company would only willingly engage in data transfers to a processor that renders such transfers safe.
That’s why the importance of International Data Transfer Agreements for UK IT professionals and contractors can’t be overstated.
Navigating the intricacies of compliance with GDPR and Schrems II is essential to safeguarding the privacy and security of personal data.
By understanding the legal and technical considerations surrounding data transfers, IT professionals can ensure that their organisations operate within the boundaries of the law and uphold the highest data protection standards.
Understanding the UK data protection landscape
Understanding the data protection landscape in the UK can be daunting, especially considering the impact of Brexit and the Schrems II ruling. Data privacy has become increasingly complex, often involving extensive paperwork and legal considerations.
With the completion of Brexit in December 2020, the UK no longer enjoys the same data protection status as the EU and EEA states. Instead, a new data protection regime called the “UK GDPR” was established. This change has significant implications for data transfers.
Following Brexit, the UK granted an adequacy decision to the EU, allowing unrestricted data transfers between the UK and the EU. In response, the EU reciprocated by granting an adequacy decision to the UK. This means that personal data can now flow freely between the UK and the EU without the need for additional safeguards.
In light of Brexit, the UK’s Supervisory Authority, known as the ICO (Information Commissioner’s Office), introduced the International Data Transfer Agreement (IDTA) as an alternative to the EU’s standard contractual clauses (SCCs) for UK data transfers. This provides a framework for ensuring the lawful and secure transfer of data.
We’ve also received news of a preliminary agreement between the EU and the US on a new Transatlantic Data Privacy Framework; whether this deals with the concerns raised in Schrems II realistically remains to be seen.
Staying ahead of these changes and understanding the evolving data protection landscape is crucial for organisations and individuals involved in data transfers within the UK. Adhering to the appropriate regulations and agreements ensures compliance and helps protect the privacy and security of personal data.
Data transfers within the European Union (EU)
Where personal data is being transferred within the EU, the GDPR doesn’t impose additional requirements.
Where a controller (sender of data or data controller) engages a processor (receiver of data or data importer), the relationship is governed by a data processing addendum covered under Article 28 GDPR, which states:
“…Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject…”.
Let’s consider a scenario where a company in the UK wanted to transfer personal data to another company within the European Union (EU), for instance, a company based in France. In this situation, since the UK and the EU are subject to the GDPR, no additional requirements are imposed on data transfers within the EU.
The company in the UK, acting as the data controller, decides to engage the company’s services in France, which will act as the data processor. To govern their relationship, they’ll establish a data processing addendum in accordance with Article 28 of the GDPR.
In simpler terms, the UK company needs to verify that the French company has adequate security measures in place to protect personal data during the transfer and while it’s being stored.
The UK company’s IT department should assess whether the French company’s security measures are suitable and effective before proceeding with the data transfer.
To summarise, even when transferring data within the EU, companies in the UK must ensure that the receiving party implements appropriate security measures. This is crucial for maintaining the security and privacy of personal data and complying with the GDPR.
Consideration of adequacy decisions or alternative mechanisms
An adequacy decision means that any transfers made to countries that are considered adequate don’t need additional safeguards before any transfer is made.
What if there’s no adequacy decision?’
It’s still possible to transfer data outside of the EU or UK to a country that doesn’t have the benefit of an adequacy decision, so long as (according to Schrems II) there’re appropriate safeguards in place and that enforceable data subject rights and legal remedies are available in the recipient country.
Standard Contractual Clauses are one type of appropriate safeguard. As said above, since Schrems II, the controller would need to ensure enforceable rights and legal remedies are available to those equivalent in the country of the data subject.
Conducting Data Transfer Impact Assessments
When transferring data from the EU (or conducting data transfers from the UK) to a country that doesn’t have an adequacy decision, it’s important to conduct a Data Transfer Impact Assessment (or Transfer Risk Assessment for the UK). This assessment helps evaluate the risks associated with such data transfers.
The assessment involves identifying and describing any risks that may arise when transferring data to non-adequate countries. It also includes evaluating the data importer’s ability to fulfil their obligations as a recipient of the data.
Any supplementary measures taken to protect these transfers are also considered part of the assessment.
The role of IT professionals in the realm of data transfers can’t be underestimated. They play a crucial role in assessing whether the technical and organisational measures proposed by processors are adequate for the data being processed.
The controllers are responsible for ensuring that data is securely handled and protected. IT professionals must thoroughly evaluate the proposed measures and ascertain their effectiveness in safeguarding the data throughout the transfer process. Any shortcomings or vulnerabilities must be addressed before proceeding with the transfer.
Failure to meet these obligations could have severe consequences for controllers who bear the ultimate responsibility for data security. Therefore, IT professionals must remain vigilant, thorough and diligent in assessing technical and organisational measures to protect against potential data breaches or unauthorised access.
By partnering with legal experts like LawBite, IT professionals and contractors can ensure that their organisations adhere to the legal frameworks, minimise potential risks, and maintain the highest data protection standards in the ever-evolving international data transfer landscape.
Mandy Hargun is one of the many experienced GDPR lawyers at LawBite. Mandy specialises in anti-money laundering, judicial review, corporate compliance and data privacy law. LawBite’s expert data protection lawyers have helped thousands of SMEs with GDPR compliance. They’ve also created GDPR-specific service packages that support you at different stages of your GDPR journey.