International Data Transfers: How to send data abroad under the UK GDPR?

As part of an interconnected and widely changing global market, it's likely that your company needs to send data abroad to conduct many of its daily business activities. After the implementation of the UK GDPR, many of these transfers are likely to be considered a 'restricted data transfer'. Here is all the information you need to continue sending data abroad under the new regulation:



Is the data transfer you are making a restricted transfer?

If your company is sending data to a receiving country that is not covered by the UK GDPR but the data you are transferring is, then you will be making a restricted transfer. If the receiver is a legal entity that is separate from yours, even if they are in the same corporate group, this will still fall under a restricted transfer.

If however you send personal data to an individual that is employed by your organisation but they are in a separate country, this would not be considered a restricted data transfer as you are not sending data outside of your own company.

Is the country you are transferring personal data to covered under adequacy regulations?

An adequacy decision means that the country you are transferring data to is deemed to have the same standard of data protection and legal framework as that covered by the UK GDPR. In these instances, you would not need to worry about implementing safeguards and can transfer between these territories freely. An adequacy regulation simply sets this fact out in law.


Below is a list of countries and territories the UK currently has adequacy regulations for:


Full adequacy decisions:

  • EU Countries (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden)

  • EFTA Countries (Iceland, Norway, Liechtenstein)

  • Andorra,

  • Argentina,

  • Gibraltar

  • Guernsey,

  • Isle of Man,

  • Israel,

  • Jersey,

  • New Zealand,

  • Switzerland, and

  • Uruguay.

Partial adequacy decisions:

  • Japan, and

  • Canada

What happens if the country I am transferring personal data to is not on that list?

Here is where you are expected to implement the ‘appropriate safeguards’ that will allow you to transfer personal data to another territory outside of the list.


The available safeguards within your arsenal are as follows:


1. Legal instruments made between public bodies that contain ‘appropriate safeguards’

Whilst the UK GDPR does not define what a public body is, it usually describes governmental bodies that undertake certain measures that are for the public interest. An ‘appropriate safeguard’ under this would allow for ‘enforceable rights’ and ‘effective remedies for the individual whose data is being transferred.


Pros

This may be easier to implement if the country you wish to transfer personal data to has these legal and enforceable instruments already in place.


Cons

Not all territories would have these agreements in place and so may not be utilised for your chosen territory.

2. UK Binding corporate rules (UK BCRs)

They are internal codes of conduct which apply to multinational groups. For larger corporations, it is more common to adopt binding corporate rules (BCRs) as they are suited for international transfers between separate entities within the same organisation and thus better suited to global businesses.

Pros

It is globally recognised as a high standard for compliance and is useful in adapting to the changing needs of your company. It is a good way to evidence accountability and a good model that can be utilised for many purposes.


Cons

There is a demanding approval process and the lack of resources from the regulators can impact the approval process and cause delays. It is also more technical than Standard contractual clauses and thus requires sufficient internal resources within your organisation.

3. Standard Contractual Clauses (SCCs)