Ensuring personal data is protected when using overseas providers31/08/2023
Customer names, addresses, email addresses, phone numbers, IP addresses and payroll details are all examples of personal data – information which can be used to identify a living person.
Most businesses use personal data in their day-to-day activities and, with increasing frequency, businesses are utilising providers situated outside of the United Kingdom to support their business operations, for example processing payments or analysing website traffic on their behalf.
If you use an overseas provider and you need to transfer personal data to them so that they can provide their services to you, it is critical to ensure that this does not result in anyone losing the rights they have in respect of their personal data under UK data protection legislation.
This can be ensured by following the rules set out in the data protection legislation. The steps you will need to take are:
- Consider where the personal data will be transferred to
The first step is to consider where the recipient of the personal data is located. If the transfer of the personal data is to a country covered by what is known as an “adequacy decision”, the transfer will be permitted without any additional measures being required.
An adequacy decision is a recognition by the UK government that a country provides an adequate level of protection for people’s rights and freedoms regarding their personal data. Countries covered by an adequacy decision include countries in the EEA, Gibraltar and the Republic of Korea (amongst others).
An example of a country that is currently not covered by an adequacy decision is the US.
- What if the recipient country is not covered by an adequacy decision?
If the country you wish to transfer personal data to is not covered by an adequacy decision, in most circumstances you will need to put in place what is known as an “appropriate safeguard”. This is where the business transferring the personal data out of the UK (known as the “Exporter”) and the organisation receiving the personal data outside of the UK (the “Importer”) enter into a contractual arrangement which requires the Importer to apply appropriate safeguards, as apply under UK data protection legislation, to the rights of individuals and their personal data. The rationale behind this is that personal data benefitting from the protections under the UK General Data Protection Regulation (UK GDPR) should continue to benefit from an equivalent standard of protection, even if it is transferred outside the UK.
Businesses used to be able to do this by using contractual provisions known as Directive SCCs (or Standard Contractual Clauses). However, these are being phased out and have not been able to be used for new transfers starting on or after 21 September 2022. Any businesses which are still relying on Directive SCCs as a means of transferring personal data overseas will need to replace their current arrangements by no later than 21 March 2024.
The appropriate safeguard which must be used for any new transfers needs to take the form of either an International Data Transfer Agreement (IDTA) or an Addendum to the EU Commission’s Standard Contractual Clauses. In practice, the IDTA will be the most straightforward appropriate safeguard to use. This is a user-friendly, standard form agreement which can be used in conjunction with other agreements (such as a contract for services).
If you are relying on this route to permit the transfer of personal data outside the UK, it is important to note that you must first conduct a Transfer Risk Assessment. This allows you to identify any risks which arise in relation to the transfer of personal data and then to mitigate those risks, in order to ensure that an equivalent level of protection is offered by the Importer as is available under UK data protection laws. The Information Commissioner’s Office has developed a non-mandatory Transfer Risk Assessment Tool to assist businesses with carrying out Transfer Risk Assessments.
- Are there any alternative options?
UK data protection laws also set out eight specific circumstances in which personal data may be transferred abroad to a country which is not subject to an adequacy decision and where there is no appropriate safeguard in place. However, these are narrow in scope and, in the majority of cases, can only be used where it is not reasonable and proportionate to put in place an appropriate safeguard, meaning that in practice they are unlikely to apply to many situations.
What do our lawyers say?
“If personal data is transferred outside of the UK without the transfer complying with data protection legislation, this will breach data protection law and runs the risk of investigation by the Information Commissioner and possible sanctions and large fines,” said Jenny.
“We would therefore recommend ensuring that, where an adequacy decision does not apply, an IDTA is put in place before any personal data is transferred abroad in order to avoid these risks.
“Where businesses are relying on Directive SCCs, we would also recommend updating these arrangements in good time in advance of these becoming ineffective on 21 March 2024.”
Hannah Nagel, a solicitor in our commercial team, advises on a range of data protection matters including data processing agreements and privacy notices.
“Many businesses use third party providers, including payment processing platforms and cloud service providers, with servers based in the US or another country without a UK ‘adequacy’ decision. If this applies to your business, you must ensure that a lawful transfer mechanism is in place to protect your customers’ personal data and comply with the legislation,” said Hannah.
“The consequences of non-compliance can be significant as, not only can this result in reputational damage, but also the Information Commissioner’s Office (ICO) can award fines of up to a maximum of £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”
Jenny added “Our team is on hand to support businesses with understanding the requirements of data protection legislation and meeting their data protection requirements, including in respect of transferring personal data to suppliers located overseas.”