Are you sharing data outside of the EU ? Read this

The rules relating to sharing data with any company outside the EU  have recently changed and the previously accepted standard contract clauses are no longer considered adequate. If you share data with any company outside the EU,  you need to ensure that you have completed a risk assessment as well as checking that your contract meets the standard clauses.

The EU Data Protection Board (EDPB) has issued ‘an FAQ’ on the invalidation of the Privacy Shield and the implications for Standard Contractual Clauses (SCCs). This guidance still applies to UK controllers and processors.

It is important to recognise that there is no grace period for companies to act and third-country transfers are currently illegal.

There is no guidance on how companies should ensure that data transferred is now safe and no information to help companies complete a risk assessment. So, until more guidance is provided, we are suggesting the following approach:

  1. List all third country transfers you currently have in place.
  • Document the data, nature of processing, and third-party details so you understand exactly what data is involved.
  • Ensure you have SCC’s in place with all third parties – in many cases these will be covered in the company’s terms and conditions.
  • Contact all third parties to ask for copies of any risk assessments they have completed. Don’t be too disappointed if you do not receive any as many companies are unaware.
  • Complete a Supplier Data Security Checklist for each company you share data with outside of the EU , focussing on the smaller companies. You can ignore Facebook, Google, Microsoft at this point
  • Review Facebook, Google, and Apple responses to this and keep a record of any updates.
  • Use this analysis to decide whether to stop transferring data to any company that fails your risk assessment.

This is a complex area, but we can help. We have produced a standard risk assessment template you can use and will keep you updated.