Transfer of personal data outside of the EU? Here’s what your business needs to know

The new General Data Protection Regulations (GDPR) apply to all organisations that control and process data in the European Union (EU).

And, because people risk losing the protection of the GDPR if their sensitive data moves beyond this political and economic area, GDPR restricts the transfer of personal data to countries or international organisations that are not in the EU.

So, if your business has to transfer data outside of the EU, you must ensure that it is protected in another way.

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

The Information Commissioner has recently supplied some updated guidance on international data transfers. And, at Hayes Connor Law, our data protection solicitors have pulled together the key points you must consider to ensure your business remains compliant if it operates beyond the EU.

What is a restricted transfer of personal data?

When personal data is transferred outside of the EU, safeguards are needed to ensure that the protection afforded by the GDPR travels with the data.

These restrictions apply to all transfers, no matter the size of the transfer or how often you carry them out.

However, if personal data is electronically routed through a non-EU country, but the transfer is from one EU country to another, then it is not a restricted transfer.

Easy ways to make a restricted transfer of personal data

If you need to make a restricted transfer, consider whether you can do so without any personal data. For example, if you can anonymise the data so that it is impossible to identify individuals (even when combined with other information), the restrictions do not apply.

If you can’t anonymise your data, check whether the EU has confirmed that the country you are transferring it to offers an adequate level of data protection. If it has, you can make the transfer. You can see the latest list of all countries which have an adequacy finding here.

Restricted transfer of personal data safeguards

If the EU has not deemed the country to be adequate in respect to data protection, you can still make the transfer if you put ‘appropriate safeguards’ in place. Advice from expert data protection solicitors is strongly advised to keep you on the right side of the law.

According to the Information Commissioner’s Office (ICO), these safeguards include:

  • A legally binding and enforceable contract between public authorities. You can make a restricted transfer if BOTH parties are a public authority or body. You must also have both signed a legally binding and enforceable document which includes enforceable rights and effective remedies for those individuals whose personal data is being transferred. For public bodies that cannot enter into legally binding and enforceable arrangements, an administrative arrangement which includes enforceable and effective individual rights can be used instead.
  • Binding corporate rules. You can make a restricted transfer if both parties have signed up to binding corporate rules (BCRs). An internal code of conduct for multinational groups, BCRs allow for restricted transfers of personal data outside of the EU. Franchises and joint ventures can also use BCRs. Legal advice is strongly recommended to ensure all BCRs are compliant and approved by the relevant EU supervisory authority (where necessary).
  • Standard data protection clauses. Your business can make a restricted transfer if both parties have entered into a contract incorporating standard data protection clauses adopted by the European Commission. These clauses contain contractual obligations on the data exporter and importer, and set out rights for the individuals whose personal data is transferred. However, knowing which clauses are acceptable can be complicated and expert legal advice from data protection solicitors is strongly recommended.
  • An approved code of conduct. You can make a restricted transfer if the receiver has signed up to a code of conduct which has been approved by a supervisory authority. The code of conduct must include robust safeguards to protect the rights of those individuals whose personal data is being transferred, and these rights must be enforceable.
  • Certification.You can make a restricted transfer if the receiver has achieved certification by a scheme approved by a supervisory authority. The certification scheme must include robust safeguards to protect the rights of those individuals whose personal data is being transferred and these rights must be enforceable.

You can find out more about all the available safeguards on the ICO website.

What if proper safeguards do not cover the restricted transfer?

If the necessary safeguards do not cover the restricted transfer, you might be able to use an approved exception.

Exceptions include where:

  • The individual has given their explicit consent to the restricted transfer
  • The transfer is necessary for you to perform a contract between you and the individual
  • You have (or are entering into) a contract with an individual which benefits another individual (and their data is being transferred)
  • You need to make the transfer for important reasons of public interest
  • You need to make the transfer to establish if you have a legal claim, to make a legal claim or to defend a legal claim
  • You need to make a restricted transfer to protect the vital interests of an individual who is physically or legally incapable of giving consent
  • You are making the restricted transfer from a public register
  • You are making a one-off restricted transfer and it is in your compelling legitimate interests.

In most of these circumstances, the transfer must be necessary, and the exception cannot be used regularly. You may also need to inform the relevant individual (and the ICO) about the transfer in advance.

As such, it is vital to ensure proper legal advice from data protection solicitors to keep you compliant and avoid data protection breaches.

Expert legal advice is crucial

Should you need legal advice or assistance in this area, please contact the Hayes Connor Law data protection team.

Our data protection and defence solicitors have a wealth of experience in this relatively new and continually evolving field, so we understand the complexities involved. As such, we can help you with a wide range of advice and legal support. Our process is fully compliant with ICO guidance, and we never put your details at risk.

CONTACT

Heathrow fined £120,000 for data breach. What can your business learn?

Last month, Heathrow Airport Ltd (HAL) was fined £120,000 by the Information Commissioner’s Office (ICO). The penalty came after a member of the public found a lost USB stick containing the sensitive personal information.

The stick, which contained 76 folders and over 1,000 files was not encrypted or password protected.

The finder took the USB stick to a public library to view the contents before passing it to a national newspaper. The newspaper then took copies before giving it back to HAL.

While the device only contained a small amount of personal and sensitive data, it did include a training video which revealed the details of 10 employees and up to 50 Heathrow aviation security personnel. This data included names, dates of birth and passport numbers.

When investigating the data breach, the ICO found that only 2% of the 6,500-strong workforce had been trained in data protection. What’s more, there was found to be widespread use of removable media, and no digital safeguards in place to prevent this happening, despite HAL’s policies and guidance stating that personal data should not be downloaded onto unauthorised or unencrypted media.

Commenting on the data breach, ICO Director of Investigations, Steve Eckersley, said: “Data Protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.

“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.”

Because of when the breach occurred, the case was dealt with under earlier data protection laws. Meaning HAL was able to escape a harsher penalty possible under the GDPR.

For employers across the UK, this case serves as a stark warning that just having data protection policies in place isn’t enough.

To make sure that they are respected, relevant and robust training must also be carried out with all employees.

Furthermore, employers should evaluate their acceptable use policies to decide whether or not it is necessary to allow employees to utilise removable storage media. And, if this is needed – given the risks associated with the possible loss of such devices – ensure that effective safeguards are in place (e.g. encryption).

In today’s online world, data breaches will happen– either through error or cybercrime. And, should this happen to you, you must be able to defend yourself to the regulator by demonstrating that robust preventative measures were in place.

Data breach solicitors

Don’t leave it until a breach occurs to protect your business. At Hayes Connor Law, we help companies, in-house legal teams and other organisations to meet their data protection obligations. Providing advice and support on compliance, data breaches, defamation and cybercrime we have all the expertise and experience you need to reduce your exposure to risk.

If a data breach has already occurred at your organisation, Hayes Connor Law can also put forward a robust legal response and defence. Ultimately, we help you come out of any crisis with your reputation, business and financial status intact.

We have considerable expertise and experience in dealing with the Information Commissioner Office (ICO) investigations, group actions and private claims, and can help you to avoid severe penalties such as substantial fines. In many cases, where a breach has occurred that was your fault, we can secure an out-of-court settlement in any compensation claims to resolve the matter as quickly and cost-effectively as possible.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

ICO provides new data protection self-assessment checklist for sole traders

The ICO has created a checklist to help sole traders and the self-employed assess their compliance with new data protection laws. The list is designed to improve understanding of data protection laws (the GDPR), while assisting sole traders to keep people’s personal data secure. It also includes practical suggestions on how to stay in line with the law.

The checklist forms part of a more substantial range of data protection resources which are available on the ICO’s website.

Commenting on the guidance, the ICO’s Head of Assurance Anulka Clarke, said “We are committed to help sole traders and those who are self-employed to navigate data protection law and improve their practices. Handling personal data correctly can add value to businesses and enhance reputation, as it increases public trust.”

Questions asked include:

  1. Do you have a record of what personal data you hold? Do you know what you use it for?
  2. Do people know you have their personal data and understand how you use it?
  3. Do you only collect the personal data you need?
  4. Do you only keep personal data for as long as it is needed?
  5. Do you keep personal data accurate and up to date?
  6. Do you keep personal data secure?
  7. Do you have a way for people to exercise their rights regarding the personal data you hold about them?
  8. Do you and your staff (if you have any) know your data protection responsibilities?

More information is provided on each of these points.

Once the checklist is completed, sole traders are presented with their overall data protection rating, as well as any suggested actions to help improve this.

Sole traders and small businesses are also advised that they can contact the dedicated ICO helpline and talk to staff who can offer further support.

Bespoke data protection advice for businesses

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant.

If a breach has already happened, we can also help you to put forward a robust defence and stop the situation from escalating.

CONTACT US TO FIND OUT MORE ABOUT HOW WE CAN HELP YOU.

Data protection complaints increase by almost 50% in three months

According to the Information Commissioner’s Office (ICO), the number of reported data protection complaints has almost doubled since April this year. The increase in data breach complaints has happened since the introduction of the GDPR on May 25th.

The stats show that:

  • 4,214 data protection complaints were made in July
  • 3,098 data protection complaints were made in June
  • 2,310 data protection complaints made in May
  • 2,165 complaints were made in April.

In total, there were 957 reported data security incidents in Q4 2018. Common causes for these data violations include:

  • Data sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email.

Worryingly, reported cybersecurity incidents also increased by 31% over the same period. Overall, general business, education and local government were the sectors with the most reported data breaches (the figures exclude the health sector).

A rise in data breach awareness

The stats indicate that more and more people are becoming aware of their data protection rights. This makes sense as there have been many high-profile data protection scandals over the last few months.

With strict new penalties for data breaches, this rise in data protection complaints should be taken as a stark warning for any business that hasn’t yet but adequate data security policies and processes in place.

The GDPR requires any company that suffers a data breach to notify its users within 72 hours of first being discovered, and, according to the ICO, there has also been a 30% rise in self-reporting. Find out more about data breach reporting and what your business needs to know.

Commenting on the changes since the introduction of the GDPR, a spokeswoman for the ICO said: “It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations.

“Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

What can you do to protect your organisation?

When you’re running a business, the last thing you want to think about is the possibility of things going wrong. But the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen.

At Hayes Connor Law, we have all the expertise and experience needed to reduce your exposure to risk. Helping you meet your data protection requirements, and keeping you safe from breaches, we ensure your policies and procedures are compliant.

If a breach has already happened, we can also help you to put forward a robust defence and stop the situation from escalating.

CONTACT US TO FIND OUT MORE ABOUT HOW WE CAN HELP YOU.

What businesses need to learn following the Equifax data breach

The investigation by the Financial Conduct Authority (FCA) into the Equifax data hack is now drawing to a close. The investigation came after Equifax failed to fix a security flaw in one of its online systems. This resulted in hackers accessing the personal details of millions of people in the UK and US.

Following the data breach, there are some vital lessons businesses across the UK need to learn to ensure they don’t meet a similar fate.

Cybercrime is increasing. So you have to protect your business

UK businesses are not doing enough to prevent cyber-attacks. Often because they don’t think it will happen to them. But, according to figures published by the government, the UK’s 5.4 million small businesses are collectively attacked more than seven million times a year. What’s more, cybercrime costs the UK economy a whopping £5.26bn[1] with around 66% of small businesses have been a victim of cybercrime in the last two years.

Over the last few years, mobile phone networks, tech firms, retailers and banks have all hit the headlines due to criminal activity that led to data security breaches. In many cases, these offences were made possible due to poor IT and data management practices. And, if you are found to be responsible, under GDPR, depending on the size and scope of the breach, you could be liable for millions of pounds in compensation.

The good news is, if you are aware of the dangers facing you, there are some simple steps you can take to prevent attacks.

You must review your data and security processes

Review the personal and sensitive data you hold, and all the steps involved in processing it. Once you know what you are dealing with, you can then document the controls you have in place and evaluate any potential risks.

By undertaking a review, it should be easy to see where improvements need to be made to comply with regulations and industry standards. You should also consider training to ensure your staff are aware of how important data protection is. Particularly as, according to the Information Commissioner’s Office (ICO), accidental disclosure or human error is a leading cause of personal data breaches.

If your business does become the victim of a cyber-attack, you will be held accountable for any failures in your processes and systems. So the more you can do to show that you take your data protection responsibilities seriously the better.

You could be liable for data breach compensation as well as fines

The Equifax fine is expected to be significant. But while fines are intended to ensure businesses do more to uphold their obligations, this isn’t the only financial penalty companies face. For example, with millions of people affected by the breach, Equifax is also facing a group-action compensation claim.

So, while you might think the cost of ensuring your business keeps your data safe is too high, the financial impact of not doing anything could be devastating.

Robust reporting mechanisms are crucial

While the Equifax data hack was a massive blow to the company, the decision not to report the cyber raid immediately only made matters worse.

In fact, not only did Equifax fail to come clean straight away about the scale of the breach, but a former Equifax executive also sold his shares in the company before the news of the hack went public. Earning roughly $1 million in the process, the executive was set to profit at the expense of millions of customers. He has since been charged with insider trading, but his actions don’t reflect well on the business.

Early reporting is now mandatory under the GDPR, (not later than 72 hours after discovering the breach) and not doing so will only make matters worse. However, businesses don’t have to self-report data breaches to the ICO unless the violation “is unlikely to result in a risk to the rights and freedoms of natural persons”. But how can you establish what type of breach is unlikely to result in such a risk and keep on the right side of the law?

At Hayes Connor Law, as well as advising you on when to report and when not to report, we can also help you to establish compliant processes for responding to data breaches made against your business.

Find out more about data breach reporting.

Expert advice is vital before a breach occurs

Don’t leave it until a breach occurs to protect your business. At Hayes Connor Law, we help companies, in-house legal teams and other organisations to meet their data protection obligations. Providing advice and support on compliance, data breaches, defamation and cybercrime we have all the expertise and experience you need to reduce your exposure to risk.

Leading our field when it comes to understanding this often complex area of law, our expert, pragmatic legal advice ensures the highest quality outcome – both in terms of results and service delivered.

Find out more about our data breach defence services.

Expert advice is vital if you are the victim of cybercrime

Prevention is better than cure, but where a data breach does occur, how you respond to it could impact any action taken against you by the ICO or any other regulatory bodies.

If a data breach has occurred at your organisation because of a cyber-attack, Hayes Connor Law can help you put forward a robust legal response and defence. Ultimately, we help you come out of any crisis with your reputation, business and financial status intact.

We have considerable expertise and experience in dealing with the Information Commissioner Office (ICO) investigations, group actions and private claims, and can help you to avoid severe penalties such as substantial fines. In many cases, where a breach has occurred that was your fault, we can secure an out-of-court settlement in any compensation claims to resolve the matter as quickly and cost-effectively as possible.

Counselling clients to ensure appropriate incident management, everything we do helps to mitigate your legal liability as much as possible.

Find out more about our cybercrime defence services.

Drawing on over 50 years of experience in the claims sector, we put your best interests at the heart of everything we do. Our process is fully compliant with ICO guidance, and we never put your details at risk.

We also remove the jargon from the process and make sure you always know what’s happening with your case.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

 


[1] Federation of Small Businesses