With the GDPR coming into effect, understanding mechanisms for lawful data transfer is extremely essential. This regulation affects all organisations using online IT services, remote access services, global HR databases and cloud-based services. The GDPR restricts transfer of data outside the European Economic Area (EEA) unless the recipient is located in a zone approved by the EC (European Commission), or if the data controller and processor has provided appropriate safeguards suggested by the EC (European Commission) or where any of the exemptions apply as per Article 49.
The entire Chapter 5 of the GDPR explains grounds to facilitate data transfer across borders. Let us now analyse in detail the three approaches laid out to enable cross-border data movement outside the EEA.
- Adequacy Decisions: The European Commission is empowered to designate a country, a territory, specified sectors or organisations as providing an adequate level of data protection. As per Article 45, the GDPR allows transfer of personal data to a country, organisation or territory which has this ‘adequacy decision’. The EC makes adequacy decisions based on factors such as the rule of law, respect for human rights, independent functioning of supervisory bodies and international commitments of such third countries. The EC (European Commission) periodically reviews the list, which may need frequent attention. The advantage of making transfers based on an adequacy decision, for example, transferring to entities certified under EU-US Privacy Shield, is that there are no additional steps required.
- Establishment of Appropriate Safeguards: If there is no adequacy decision on the country/organisation the data is being transferred to, Article 46 of the GDPR, permits the cross border transfer of data if the data controller or processor has provided safeguards mentioned in this Article. Some mechanisms include:
- Legally binding enforceable instrument between public authorities
- Agreements between corporate groups guided by Binding Corporate Rules (BCR) as per the Article 47. BCR is an intra-company company code of conduct that is certified by the relevant supervisory authority. It can ease the process of transfer within a group across countries which may not be otherwise approved
- Model Contracts Clauses comprising of standard data protection clauses adopted by the Commission. These contracts have a standard format, however the EC (European Commission) has the right to update or replace the clauses anytime
There are a few more mechanisms which are expected to come up soon, which include:
- Compliance with a code of conduct approved by the supervisory body
- Certifications can also be acquired by data controllers and/or processors under the approved certification mechanism
- Specific Derogations: In the event of failing to utilize the two mechanisms stated above, Article 49 permit(s) data transfer via certain special approaches mentioned here:
- Cross-border transfer can be permitted based on individual’s informed consent
- Data movement can be allowed if the transfer is necessary for the performance of a contract between the data subject and the controller
- Data can also be transferred if it is necessary for crucial reasons of public interest or to exercise or defense of legal claims
- If the transfer is necessary to protect the vital interests of the data subject
With the May 25, 2018 deadline round the corner, businesses can follow these simple steps to ensure that they are well prepared for cross-border transfer requirements of the GDPR:
- Start by critically reviewing all your business operations which are in place or planned for future
- Identify and analyze instances when personal data is transferred to recipients outside the EEA
- Ensure each instance of the transfer has a mechanism that complies with requirements of the GDPR
Understanding the quantum of data transferred from the EU to the US, a favorable option would be to get certified under EU-US Privacy Shield. In the case of identification of any data transfers which lack a lawful mechanism; organisations should implement the most appropriate of the three methods mentioned above.
Application of these lawful mechanisms can be facilitated if businesses choose to use GDPR compliant cloud-based solutions. By opting for a cloud based vendor, businesses can choose the site for storing their data. Also, cloud solutions are designed to ascertain that all aspects of the business meet requirements of the GDPR.
For more on how cloud will help meet the obligations put forth by the GDPR, read 3 Ways Cloud Simplifies Your GDPR Compliance.