GDPR – Solving Data Protection Problems : Chapter 13: Cross-Border Transfers
The European Data Protection Regulation GDPR will be applicable as of 25 May 25 2018 in all member states to harmonize data privacy laws across Europe.
The GDPR is an EU directive regulating how businesses handle, store, share and secure personal information, and will profoundly alter the way businesses and consumers look at the data they hold.
If your organisation engages in Cross-Border Data Transfers, and need to move data freely outside the European Economic Area (EEA) the GDPR will impact you.
In preparation for GDPR, I’ve written this blog and created a free downloadable guide to help your organisation avoid loss of personal data, and get ready to comply.
The European Union is a political and economic union of 28 member states that are located primarily in Europe.
The existing EU Data Protection Directive 95/46/EC 1995 had to be transposed into the national laws of each Member State.
Inevitably, the national legislatures of the Member States applied their own interpretation of the DPA directive and the basis for the Data Protection Act (DPA) 1998 United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system.
As a consequence, there is a “patchwork” of similar, but not identical data protection compliance requirements across the EU, with each state interpreting and enforcing DPA differently.
This left organisations trying to do business in the EU being faced with inconsistent data protection compliance requirements between the Member States, and working under inconsistent data protection regulations that vary from country to country.
Since the Directive 95/46/EC was drafted in the mid-1990s there have been significant changes in the ways in which people use information, both in business and personal contexts.
There is new technology, tools, and devices used today including smartphones, fitness trackers etc. did not exist at that time. Consequently, the Directive has had to be adapted to apply to an increasingly interconnected world, and therefore in need of updating.
Why does Cross-Border Transfers matter to organisation?
Businesses today find it increasingly important to be able to move data freely to wherever those data are needed. However, the transfer of personal data to recipients outside the European Economic Area (EEA) is generally prohibited unless:
- The jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection.
- The data exporter puts in place appropriate safeguards
- A derogation or exemption applies.
Understanding the use of lawful data transfer mechanisms is essential for all organisations that wish to transfer personal data to recipients located outside the EEA.
What types of organisations are most affected?
Primarily, any organisations that engages in Cross-Border Data Transfers.
Organisations using online IT services, cloud-based services, remote access services or global HR databases.
All of which will need to implement lawful data transfer mechanisms.
Examples
Marketing agencies that send contact lists to telesales firms’ in EEA currently have to understand the different data laws of each individual nation and adapt their processes accordingly to ensure they complied with the appropriate regulations.
IT companies that provide systems support across the EU currently have to allocate additional time and resources understanding the patchwork of individual national laws for processes data, such as handling employee data, customer details, and payment transactions.
So what should your organisations do to prepare?
Download full guide
https://www.old.p4p.uk.com/library-user-guide/gdpr-chapter-13-cross-border-transfers-guide/