International Data Transfers and UK-US Data Bridge

September 2023

What is it and what does it mean for UK businesses?

The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.

The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.

The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.

The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.

Background on data transfers to the United States

In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.

For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.

This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.

(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)

Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.

In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.

Complex, isn’t it? Are you still with me?

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.

This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.

UK-US data bridge

Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.

What steps can businesses take?

Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;

1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered

Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.

There’s further information available about the Data Privacy Framework here, and there’s also an ability to check if a US business is signed up using the participant search.

Legal challenges

As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.

Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.

See our International Data Transfer Guide for an overview of the rules and requirements.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

EU Representative and Swiss Representative for data protection

September 2023

Do you need to appoint a data protection representative?

The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.

What is an EU Representative?

If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.

This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.

The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.

But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service.  They have the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.

What about Swiss Representatives?

The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.

In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities

  • offering goods and/or services to individuals or monitor their behaviour, on a large scale,
  • are on a large scale, carried out regularly and pose a high risk to the data subject.

The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.

However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.

So, what’s the risk of not having a Representative?

This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.

However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data breaches – human or a catalogue of errors?

August 2023

Why systems fail

The recent spate of serious data breaches, not least the awful case involving the Police Service of Northern Ireland (PSNI), left me wondering: who’s really to blame? We’re used to hearing about human error, but is it too easy to point the finger?

Is it really the fault of the person who pressed the send button? An old adage comes to mind, ‘success has a thousand fathers, failure is an orphan.’

Of course, people make mistakes. Training, technology and procedures can easily fail if ignored, either wilfully or otherwise. Yes, people are part of the equation. But that’s what it is. An equation. There are usually other factors at play.

In the PSNI case – one involving safety-critical data – I would argue there’s a strong argument that any system allowing such unredacted material to enter an FOIA environment in the first place is flawed?

Nobody is immune from human error. About nine years ago, on my second day in a new compliance role, I left my rucksack on the train. Doh! Luckily, there was no personal data relating to my new employer inside. I lost my workplace starter pack and had to cancel my debit card. I recall the sinking feeling as my new boss said, ‘well, that’s a bit embarrassing for someone in your job’. It was. But I knew it could have been so much worse.

Approximately 80% of data breaches are classified by the Information Commissioner’s Office as being caused by human error. Common mistakes include:

  • Email containing personal data sent to the wrong recipients
  • Forwarding attachments containing personal data in error
  • Failing to notice hidden tabs or lines in spreadsheets which contain personal data (this is one of the causes cited in the PSNI case)
  • Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)

However, sometimes I hear about human error breaches and don’t think ‘how did someone accidently do that?’ Instead, I wonder…

  • Why didn’t anyone spot the inherent risk of having ALL those records in an unprotected spreadsheet in the first place?
  • Why wasn’t there a system in place to prevent people being able to forget to blind copy email recipients?
  • Is anyone reviewing responses to Data Subject Access Requests or FOI requests? What level of supervision / QA exists in that organisation?
  • Why is it acceptable for someone to take confidential papers out of their office?

I could go on.

Technical and Organisational Measures (TOMs)

Rather than human error, should we be blaming a lack of appropriate technical and organisational measures (TOMs) to protect personal data? A fundamental data protection requirement.

We all know robust procedures and security measures can mitigate the risk of human error. A simple example – I know employees who receive an alert if they’re about to send an attachment containing personal data without a password.

Alongside this, data protection training is a must, but it should never be a ‘tick box’ exercise. It shouldn’t be a case of annual online training module completed; no further action required! We need to make sure training is relevant and effective and delivers key learning points and messages. Training should be reinforced with regular awareness campaigns. Using mistakes (big or small) as case studies are a good way to keep people alert to the risks. This is another reason why post-event investigation is so important as a lesson-learning exercise.

Rather than being a liability, if we arm people with enough knowledge they can become our greatest asset in preventing data breaches.

Chatting with my husband about this, he mentioned a boss once asking him to provide some highly sensitive information on a spreadsheet. Despite the seniority and insistence of the individual, my husband refused. He offered an alternative solution, with protecting people’s data at heart. Armed with enough knowledge, he knew what he had been asked to do was foolhardy.

Lessons from previous breaches

It’s too early to call what precisely led to these recent breaches:

  • The Police Service of Northern Ireland releasing a spreadsheet containing the details of 10,000 police officers and other staff public in response to a Freedom of Information Request
  • Norfolk and Suffolk Police accidentally releasing details of victims and witnesses of crime
  • Scottish genealogy website revealing thousands of adopted children’s names.

However, we can learn from previous breaches and the findings of previous ICO investigations.

You may recall the case of Heathrow Airport’s lost unencrypted memory stick. Although ostensibly a case of human error, the ICO established the Airport failed not only ‘to ensure that the personal data held on its network was properly secured’, but also failed to provide sufficient training in relation to data protection and information security. The person blamed for the breach was unaware the memory stick should have been encrypted in the first place.

Then there was the Cabinet Office breach in which people’s home addresses we published publicly in the New Year’s Honours list. The actual person who published the list must’ve had a nightmare, when they realised what had happened. But the ICO findings revealed a new IT system was rushed in and set up incorrectly. The procedure given for people to follow was incorrect. A tight deadline meant short-cuts were taken. The Cabinet Office was found to have been complacent.

The lesson here? Data breaches aren’t always solely the fault of the person pressing the ‘send’ button. Too often,  systems and procedures have already failed. Data protection is a mindset. A culture. Not an add-on. As the PSNI has sadly discovered, in the most awful of circumstances.

The impact breaches can have on employees, customers, victims of crime, patients and so on, can be devastating. Just the knowledge that their data is ‘out there’ can cause distress and worry.

Data protection law doesn’t spell out what businesses must do. To know where data protection risks lie, we need to know what personal data we have across the business and what it’s being used for.  Risks need to be assessed and managed. And the measures put in place need to be proportionate to the risk.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What types of data protection risk are there?

August 2023

Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be?

There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data.

Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions.

We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements.

International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk.

Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage.

The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie.

Data protection principles

1. Lawfulness, fairness and transparency

Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide

2. Purpose limitation

Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain.

3. Minimisation

Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future?

4. Accuracy

Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us.

5. Storage limitation

Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance

6. Information Security

Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred?

7. Accountability

Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance

The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach.

Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone.

We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention.

In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide.

Mistakes can happen

Here are some issues or gaps which could lead to data protection risks coming to the surface.

  • People-related risks – such as lack of training and lack of governance or ownership
  • Process risks – such as poor data handling procedures or manual processing on Excel / Sheets.
  • Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes.

If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging.

Listen back to our online discussion: Managing and Assessing Data Protection Risks 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Why is data mapping so crucial?

August 2023

Locating data across your business and creating your records

It’s widely recognised as the best foundation for any successful privacy programme; map your data and create a Record of Processing Activities.

It’s one of the UK Information Commissioner’s Office’s (ICO) key expectations:

‘Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.’

Believe it or not, some people don’t get excited by data mapping and record keeping! Nevertheless, maintaining effective records of your data processing is an important obligation under data protection law, which gives a range of benefits to your privacy programme. So let’s take a look.

Data discovery and mapping

This is the process of mapping out your data and how it flows across the business. Personal data may be held on a wide range of systems used by almost every function of the business – including HR, Marketing, Operations, IT, Logistics and so on. In many situations the data may be located on third party supplier systems.

So where to start? First talk with your IT colleagues who look after the systems the data is located on. Some businesses may already have inventory of their systems.

Mature businesses might even have an Information Asset Register (IAR), which lists all your information assets on each system. If so, you’re off to a flyer!

But if you’re not in that fortunate position, there are various ways to conduct a data mapping exercise. We suggest you take it a step at a time and set clear priorities.

Focus on datasets are likely to pose the greatest data protection risk, in the event of a data breach or other privacy violation. You can always build out from there later.

You might consider using technology to ‘sniff out’ personal data. Or you might talk with your IT teams to draft an inventory of your key systems & service providers, what personal data they hold and who the internal ‘owners’ (decision-makers) for these datasets are.

Record of Processing Activities (RoPA)

A RoPA is a key requirement for many organisations under the UK & EU GDPRs; notably those with 250 plus employees. This requirement applies to both controllers and processors. There is a limited exemption for small and medium-sized organisations who don’t handle particular sensitive data.

But what is the data used for? A RoPA links your personal data assets to the activities which the data is used for, by whom, where the data is located, any third parties its shared with, what measures are in place to protect it… and so on.

Fortunately, these activities (or uses for personal data) are usually linked to specific business functions/teams within an organisation. For example, the HR team will know all the activities associated with recruitment and employment of staff.

To create the RoPA, the two main approaches are to a) invest in privacy software with a RoPA module or b) use an Excel base template from a Supervisory Authority (e.g. the ICO) and populate it by collaborating with all the business functions which use personal data.

This is not a task to be taken lightly; the requirements for record keeping are onerous. It’s an area which many businesses have found challenging. And once you’ve create the RoPA, you’ll need to keep it up to date over time.

Gain extra benefits

Your RoPA should be the first place to look if you suffer a data breach, helping you to identify the categories of individual, sensitivity of the data, any data processors involved, who the data was shared with and so on. It can also be very helpful to reference your RoPA when handling Data Subject Access Requests, so you know where to look for the data required.

A proportionate approach for smaller organisations

Even smaller organisations, which may benefit from exemption from creating a full RoPA, still have basic record keeping responsibilities, which should not be overlooked and could still prove very useful. Smaller organisations only need to document their processing which is:

  • not occasional – therefore all the frequent processing must still be documented; or
  • activities which could result in a risk to the rights and freedoms of individuals; or
  • those which involve the processing of special categories of personal data, or data on criminal convictions.

A short guide to keeping your data records complete and up-to-date

1. Why? – The need for accurate records

If your records are allowed to become outdated, you can quickly lose track of the reach of your processing. Resulting in uncertainty when you most need it. After all, if you don’t know about certain processing, or hold a record of it, how can you possibly be sure the business is protecting that data?

There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment.

If requested you might need to make your records available to a Supervisory Authority, such as the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.

2. Who? – Stakeholder relations

Make sure you have enlisted the support of your Board, as you’ll need help from many stakeholders to update you about changes to data processing in their area and notify you of new service providers to keep the RoPA updated.

No DPO or data protection team can create or maintain the records their own. They always need the support of others. We suggest you use a ‘top down’ as well as ‘bottom up’ approach.

Have you identified ‘data owners’ who are accountable for key datasets within the business? For example:

  • Human Resources – employment & recruitment data
  • Sales & Marketing – customer / client data
  • Procurement – supplier data; and so on

Each data owner needs to understand their role & responsibilities to meet internal data policies and ensure their function’s processing complies with data laws.
Building a regular two-way dialogue with data owners is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.

3. What? – Make sure you’re capturing all the right information

Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor (or may act as both). If you want to check, see the ICO’s guidance on documentation.

I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Remember, you can’t make sure personal data is adequately protected if you don’t know where it is and what it’s used for. Good luck!

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Dossiers, profiles and the data protection conundrum

August 2023

‘We have a file on you…’ It sounds sinister. Like something from a spy movie.

Nonetheless, there are many reasons why organisations create and retain profiles on individuals. Recently, this hitherto unremarkable topic took centre stage via the ‘Farage-gate’ de-banking affair. Suffice to say the fallout for NatWest and its private banking arm, Coutts, has been disastrous. We also know Nigel Farage won’t be the only person on whom banks have complied profiles. Nor are banks the only businesses to do so.

I’m not going to dwell too much on Nigel Farage or NatWest’s handling of his case. As a data protection practitioner what interests me are the inherent difficulties around creating compliant dossiers or profiles for legitimate business purposes.

Some organisations may have been blissfully unaware of the risks around ‘business intelligence’ or ‘due diligence’ profiling (until Farage-gate, that is). Others may decide the business benefits of the information they’re holding on individuals outweighs the potential risk.

Here’s a list of just some of the reasons businesses may choose to enhance the records held on individuals or create new records.

  • Business pitches: In preparing a business pitch, it seems logical to research potential customers or partners. Consider corporate hospitality, for example – do they support Arsenal or enjoy horse racing? These might be the little details that seal the deal.
  • Employment: For many roles, it would seem perverse to NOT perform basic due diligence on a candidate. Indeed, some organisations might be criticised for not doing so.
  • Donations: Charities, academic institutions and research bodies might receive a donation and want to know if it might be reputationally damaging to accept. Or they may research high-profile figures and/or philanthropists to see if they’re a good fit to approach to support their cause.
  • The personal touch: A client or customer shares sensitive information about themselves in everyday conversation. Their partner is unwell, for example. Do you want to keep a record, so you remember to ask after them the next time you speak? Or they might mention it’s their birthday – shall we keep a note so you can send flowers next year? My local Indian restaurant always sent my husband a birthday card, which he is always delighted to receive (although it might have had something to do with the complimentary samosas).
  • Activists & risk management: You may be aware of individuals who seek to disrupt your business activities for political or environmental reasons. In fact, you might argue you’ve an obligation to establish the risk for employee welfare and safety purposes.
  • Complainers: You might wish to alert your contact centre staff to customers who are prolific / abusive and / or vexatious complainants.
  • Social media commentators: You learn of people prone to unfairly badmouthing your business on Twitter / ‘X’, Facebook or online forums. You might choose to monitor their output for rebuttal purposes (incidentally, the most major political parties do this via ‘rebuttal units’).

There are endless scenarios why it makes good business sense to add information to a record you hold, or to create specific profiles about people. Clearly, the more sensitive the information, the more risk involved should the record be exposed – especially if you haven’t been open about what you’re doing.

The data protection conundrum

There’s something of a Catch-22 here. One of the core principles of data protection law is the handling of personal data must be lawful, fair and transparent.

Lawful basis

To be lawful, you shouldn’t do anything obviously illegal. Secondly, you also require a lawful basis for the purpose for which you’re using personal data. There are six to choose from:

  • Contract: You may be able to rely on contract if it’s necessary to gather this information for the purposes of a contractual relationship with the individual, or to take steps before entering into a contract with them. Banking is a good example, with its regulatory rules around money-laundering.
  • Public interest: You may be able to argue your actions are in the public interest. The risk here is conflating your interests with public’s! The threshold here’s pretty specific, usually for public protection and safety.
  • Legal obligation: You may have a statutory or sector-specific obligation to gather and hold certain information (banking, again, is a prime example).
  • Vital interests: This would only apply in an emergency; a life and death type situation.
  • Consent: You could ask the individual for their specific, informed and unambiguous consent. (hmmm, perhaps not … although in some parts of the world consenting to intrusive pre-employment screening is a prerequisite of recruitment processes).
  • Legitimate interests: You could balance your business interests, with the interests, rights and freedoms of the individual.

As you can see, at the first hurdle organisations may struggle to squeeze what they’re doing into a lawful basis. A quick glance might even suggest swathes of business intelligence and due diligence practices may technically be unlawful.

Many will have regulatory reasons that may fall under Legal Obligation or Legitimate Interests. Is your business or organisation one of them?

Legitimate Interests is often the lawful basis businesses choose, but would the balancing test of your business interests with the interests rights and freedoms of the individual really stand up to scrutiny? Perhaps not, if they have no idea you’re doing it. Which brings me neatly on to transparency…

Transparency

Data protection law tells us we should be open and upfront about what we do. Alongside this, people have a fundamental right to be informed about how we collect and use their personal information.

Your privacy notice (aka Privacy Policy) should cover the purposes you use personal data for. It may say something like; ‘We create profiles to better understand our customers and improve the service we provide’. It may clearly state you conduct ‘wealth screening’ or collect data indirectly from openly available sources.

But is it really that transparent? And has this privacy notice been brought to people’s attention, not camouflaged using acres of small print? Probably not, if the dossiers or profiles you’re creating aren’t related to people you enjoy an existing relationship with.

So, at this second hurdle, organisations may fail to meet transparency requirements.

Data collected indirectly

Arguably one of the most widely ignored aspects of data protection law (especially in this context) is the requirement to inform people and provide privacy information when we’ve collected their data indirectly, i.e. from another organisations or from openly available sources.

This should be done ‘within a reasonable period after obtaining the personal data, but at the latest within one month’. If the personal information’s going to be used for a communication with the individual, ‘at the latest at the time of the first communication’.

There are some exceptions such as providing this information would involve disproportionate effort and when the personal information must remain confidential subject to an obligation of professional secrecy.

In practice, individuals will often be blissfully unaware of dossiers and profiles have been created about them, until things go wrong.

What are the risks?

The two main ways in which data protection risks could materialise are a Data Subject Access Request (as the Nigel Farage case demonstrates) or a data breach.

Businesses should ask themselves – what would your response to a Data Subject Access Request (DSAR) look like? When gathering and keeping additional information about people, you need to consider the repercussions should you be required to disclose this information to the individual themselves. How likely is the individual to submit a request for a copy of their personal data. And if so, how damaging could it be?

Even if a DSAR feels highly unlikely, what would be the potential impact should this information be disclosed in a data breach?

How can you mitigate the risks?

Imagine your lawful basis is tenuous and people are unaware you’re holding a dossier or profile on them. Nonetheless, you still feel there’s a genuine business necessity. What can you do?

I know at this point, some people in my world might begin clutching their pearls, but with a seriously practical head on? We can reduce the risk by following other data protection principles:

  • Only gather and retain what you really need and can justify. Be proportionate – as the Farage case shows, do you really need all the information you’ve garnered when researching someone?
  • Delete it promptly when you no longer need it
  • Store it securely and limit access to only those who need it
  • Make a record your decisions. It’s much easier down the line to argue necessity if you’ve made a proper record at the time.

Don’t share material unless absolutely necessary and be mindful of the sensitivity of the details you’re keeping. If you feel it’s necessary to offer a view on someone’s opinions or politics – that becomes their personal data too. I can think of several reasons why that might be an entirely reasonable thing to do. Conversely, I can think of many reasons why it might not be!

So what do you think now? Are your dossiers or profiles really necessary and justifiable? Make sure you’re ready to defend your actions to individuals, the ICO or ultimately to the courts.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Q&A

July 2023

There’s no getting away from the fact, navigating the rules regarding the transfer of personal data to different countries around the world can be complicated.

Multiple different scenarios between controllers, processors and even entities within the same group of companies can throw up all kinds of questions. What’s the most appropriate transfer mechanism to use? Do we need to do a risk assessment? What should we do for Intra-Group transfers?

In this Q&A session we’ve selected some questions raised by the DPN audience which we believe will be useful for many organisations. We’re delighted to be able to draw on the expertise of Debbie Venn, Partner at DMH Stallard LLP to provide her answers.

Q: We are a controller based in the UK and we process the data of UK, EU and other citizens globally. We contract service providers based in the USA. What transfer mechanism should we use?

As the personal data being processed includes both UK and EU data subjects, we would usually recommend using the EU Standard Contractual Clauses (SCCs), with the UK applicable Addendum (Module One – controller-processor). This is so it can be covered under one agreement, rather than having a UK International Data Transfer Agreement (IDTA) and the EU SCCs, for this purpose.

You’ll also need to consider (as part of your controller responsibilities) whether there are any specific laws which need to be complied with in the jurisdictions outside of the UK and EU, such as California. This is to make sure there are no other provisions that need to be added into a relevant controller to processor agreement.

A controller to processor data processing agreement can cover all data sharing activities, with the EU SCCs and UK Addendum appended, to ensure compliance with both EU and UK GDPR.

We’d recommend this especially when special category data is being transferred, so additional wrap-around measures can be included, in addition to the EU SCCs and UK addendum. Alternatively, if the personal data being shared is minimal, you could opt for just the EU SCCs and UK Addendum.

As processors are based in the USA, a Transfer Risk Assessment would also need to be carried out for the purposes of assessing any additional security measures to put in place. However, if the U.S organisation is a signatory to the recently adopted EU-US Data Privacy Framework, this risk assessment would not be necessary.

Q. For Intra-Group Transfers should we consider basing this on EU SCCs or UK ITDA, or Binding Corporate Rules (BCRs)?

BCRs while they are useful, are complicated. They’re difficult to manage and agree internally within a group. They also need approval from a relevant Supervisory Authority – a process which can be painfully long. The UK ICO has, I believe, only 9 companies that have adopted BCRs since UK GDPRs became effective.

Many organisations are therefore opting to use EU SCCs or the UK IDTA (or EU SCCs with UK Addendum if both EU and UK personal data is being transferred). The agreement can set a detailed, granular framework for data sharing, reflecting the sharing practices, internal security compliance, and so on, in addition to the international data transfer elements. This is also useful when handling companies coming into the group and acceding the Intra-Group agreement.

Q. Do we need to perform a Transfer Risk Assessment for Intra-Group Transfers?

This depends to a degree on where group companies are located. But in principle, a TRA must be carried out to cover the proposed data flows / transfers in addition to entering into the relevant agreements / clauses.

Q. For Intra-Group Transfers should we follow the data flows, or the group company locations?

Follow the data. An Intra-Group Transfer Agreement should be set up to support the flows of the data, rather than prescribe how that data should flow.

Q. What is a Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA)?

A TRA/TIA is an assessment which should be conducted when relying on an appropriate safeguard for a data transfer, for example, EU SCCs, UK ITDA or BCRs. Risk assessments are not required where an adequacy decision is in place, or when relying on an exception (derogation).

The aim of the assessment is to make sure the level of protection offered under the UK/EU GDPR is maintained even when the data is transferred outside the UK/EEA and to identify and help mitigate any risks, where necessary. The level of protection for the importer of the data / country doesn’t need to be the same, but essentially equivalent or sufficiently similar.

UK Transfer Risk Assessment (TRA)

This is an assessment produced by the UK ICO. It’s a risk-based approach, considering the harm in terms of non-compliance. It represents a fairly pragmatic approach focused on the likelihood of risk in terms of the receiving country and who might have access to the data (e.g. law enforcement or national security agencies).

It assists an assessment of whether the protection of personal data in a third country is adequate and does this on the basis whether standards in a third country are materially lower, rather than whether protection is equivalent (as for EU assessment). Essentially, you need to consider:

    • Who is the data importer?
    • Status of the data importer (i.e. controller/processor/sub-processor)
    • Activities of the data importer
    • Details of the personal data being transferred, including the individuals it relates to and the nature of the information. Does it include special category data, what kinds of volumes and how frequent?
    • Protection mechanisms in place, including format and transfer process
    • Assign a risk level to the proposed data being transferred: low, moderate or high and adjust the data, if this is possible and can help to reduce the risk.
    • Are the human rights of individuals in the destination country of a lower standard than in UK/EEA? Is it more likely that human rights breaches will occur, or would they be more severe if they did? Extra protections might be needed based on this risk.
    • What enforcement mechanisms are in place?
    • Do any exceptions apply? For example, in an emergency situation.

For more detail see the ICO Transfer Risk Assessment Guidance and TRA Tool

EU Transfer Impact Assessment (TIA)

The approach adopted in the EU is referred to as “supplementary measures”. This is more detailed and includes the European Data Protection Board (EDPB) recommendations on measures to supplement transfer mechanisms. If you’re a global business, the more pragmatic UK ICO approach may not be sufficient to meet the TIA requirements covering EU personal data.

For more information see the EDPB supplementary measures recommendations

Q: Who should complete the TRA/TIA in a supplier relationship – the controller or the processor?

Generally the controller should be assessing whether their personal data can be transferred to a processor. This is also usually governed by a data processing agreement between the two parties.

However, it may be depend on which party is initiating the restricted transfer; i.e. who is the exporter? This could be a processor or controller in the UK/EU transferring the data overseas. If a processor is exporting the data, they would be responsible for undertaking the TRA/TIA and putting the relevant SCCs/IDTA in place with any sub-processors involved.

Controllers however have a responsibility to make sure they are using processors who take sufficient steps to protect personal data. It’s not 100% clear how far the controller’s obligations would go to verify the processor’s compliance with UK/EU GDPR when making a restricted transfer.

Q: What level of assurance should we expect from other controllers (data importers) for any onward transfers to processors? Should we ask to review their TRA/TIAs?

Reviewing of TRA/TIAs would help understand the assessments made. However, this is all about assessment of the risks. The controller will need to weigh-up the risks, broadly considering a number of factors, such as:

  • Controller’s risk profile
  • Risk profile of the data
  • Data subjects in scope
  • Nature of the processing
  • Third countries involved and risk under local laws
  • Scope of the processor’s processing activities and their assessments
  • Reputation of the processor
  • Sub-processors used
  • Nature of assurances provided – has the processor given enough reassurance around the assessments they have made when making a restricted transfer?
  • Contractual provisions between the parties

Thanks Debbie! As these questions and Debbie’s responses demonstrate, the world of international data transfer rules can be tricky to unravel – especially for the uninitiated.

For many businesses, it often comes down to taking a proportionate approach based on the size of your organisation and the sensitivity, volume and frequency of the personal data you are transferring overseas.

What’s crucial is knowing where your data flows and to whom. Only then can you make a judgement call on the potential risks, and ensure appropriate transfer measures are in place for higher-risk activities.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfer Resources

How to tackle international data transfers

The rules on international data transfers under UK/EU data protection law can be complex to navigate. At the core is a requirement for specific safeguard measures to be in place for what are termed ‘restricted transfers’ and for companies to assess the risk posed to individuals by transferring their data overseas.

Data Transfers Q&A

Multiple different scenarios for international data transfers throw up all kinds of questions. We’ve selected some questions raised by our audience which we believe will be common to many organisations: International Data Transfers Q&A with Debbie Venn, Partner at DMH Stallard LLP.

Other useful resources

UK

ICO Guidance – International Data Transfer Agreement

ICO Guidance and Tool – UK Transfer Risk Assessments

EU

European Data Protection Board Guidance on International Data Transfers

European Data Protection Board – information sheet re US adequacy decision

European Data Protection Board supplementary measures recommendations

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.