Share

2 min read

Writen by Adam

Posted on: January 15, 2021

Are you sharing data outside of the EU ? Read this

The rules relating to sharing data with any company outside the EU  have recently changed and the previously accepted standard contract clauses are no longer considered adequate. If you share data with any company outside the EU,  you need to ensure that you have completed a risk assessment as well as checking that your contract meets the standard clauses.

The EU Data Protection Board (EDPB) has issued ‘an FAQ’ on the invalidation of the Privacy Shield and the implications for Standard Contractual Clauses (SCCs). This guidance still applies to UK controllers and processors.

It is important to recognise that there is no grace period for companies to act and third-country transfers are currently illegal.

There is no guidance on how companies should ensure that data transferred is now safe and no information to help companies complete a risk assessment. So, until more guidance is provided, we are suggesting the following approach:

  1. List all third country transfers you currently have in place.
  • Document the data, nature of processing, and third-party details so you understand exactly what data is involved.
  • Ensure you have SCC’s in place with all third parties – in many cases these will be covered in the company’s terms and conditions.
  • Contact all third parties to ask for copies of any risk assessments they have completed. Don’t be too disappointed if you do not receive any as many companies are unaware.
  • Complete a Supplier Data Security Checklist for each company you share data with outside of the EU , focussing on the smaller companies. You can ignore Facebook, Google, Microsoft at this point
  • Review Facebook, Google, and Apple responses to this and keep a record of any updates.
  • Use this analysis to decide whether to stop transferring data to any company that fails your risk assessment.

This is a complex area, but we can help. We have produced a standard risk assessment template you can use and will keep you updated.

Recent blogs

Most common types of GDPR violations

As GDPR effect is growing day by day and a lot of companies are affected, we would like to present

ICO published the next chapter of the Anonymisation guidance draft : Anonymisation, pseudonymisation and privacy enhancing technologies guidance

How to ensure anonymisation is effective? The ICO is calling for views on its updated draft gui

When can we refuse to comply with a SAR (Subject Access request) ?

A lot of companies are receiving SAR's almost every day. Not all of the SAR's are relevant and a lo

Get Your Account Now

Setup in just 5 minutes. Enter your company details and choose the EU Representative services you need.

Give Us a Call

Not sure whether EU Representative applies to you or which option to choose? Call, email, chat to us anytime.

06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.