GDPR Week#20: Where in the world is that data?
Let me ask you a question.
As champion of your organisation’s customer experience and (for now, at least) the person responsible for ensuring you comply with the GDPR and new Data Protection Act, are you sending prospect and customers’ personal data outside of Europe solely to circumvent the laws on data protection?
No, of course not! I think.
But if any of your technology partners or services transfer, save or process personal data outside of the EU or EEA (European Economic Area), then you need to be clear about the legal basis on which you are doing this. And if you have intra-company transfers of personal data outside of the EEA and your organisation doesn’t have Binding Corporate Rules (BCRs www.ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/) in place – which is unlikely as BCRs are tricky and expensive to establish – the same stipulations apply.
Like a lot of aspects of the GDPR, the key consideration here is transparency – let your customers know what you’ll do with their data and where. So before you do that you’ll need to a) know where the personal data is going, b) that you are confident that it will be safely and securely treated.
So whether personal data transfers outside of the EEA are being carried out by your CRM provider, email or SMS despatch solutions, fulfilment providers, for fraud screening or data profiling, in most cases you will need to explain this to the data subjects whose personal data is being affected. If you have a good reason for doing this and can be confident that your overseas partner will handle the data appropriately, then there’s no problem.
If not, then you’ll need to take a long hard look at your ‘customer experience infrastructure’.
Life’s a lot simpler if you are transferring and processing data in countries that the EU has ruled to display ‘adequacy’ in terms of personal data protection. However, the current list is rather eclectic and includes a mixed bag of countries: Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay. Unfortunately, the USA is only ‘partially adequate’ and you will be reliant on your partner/supplier overseas company to gain Privacy Shield (www.privacyshield.gov) status; it’s not a given.
Finally, if you are a provider of services (a data processor) which requires client personal data to be transferred out of the EEA then this is another GDPR-related concern you will want to add to a growing list. See our blog from a few months ago: www.channeldoctors.co.uk/blog/29-technology-providers-it-s-time-to-wake-up-to-the-gdpr