The rules around personal data are different from country to country. How can we make sure personal information is protected, wherever it travels? Just like with safe sharing (Privacy Promise 4), the GDPR requires companies to only send personal information to countries that ensure an adequate level of protection for the rights and freedoms of data subjects.
The EU has deemed some countries as having an adequate level of protection (eg New Zealand, Canada and Japan) but not others (eg Australia and the USA).
In the seventh of our short training videos, the Privacy Guy highlights why this is so important. Imagine you’ve recently downloaded a new app and have had loads of fun taking silly photos and videos on it. You even use it to take a few selfies while you’re on a protest march. Then you see on the news that foreign governments use the app to spy on people just like you.
Or perhaps at work, you’re thinking about using a great new lead generation agency in your marketing department. Then you discover that their back office is actually overseas. Does this raise any alarm bells?
In establishing parameters around sharing data internationally, it’s a good idea to consider whether you need to transfer the personal information at all. If you do, does it need to go to a particular location, or are there others which are safer? For example, when using a cloud hosting provider, you often get a choice over which server (USA, UK or EU) to store your data in.
You should also make clear where the personal information of individuals is being processed, in a comprehensive privacy notice. It’s all part of a wider culture of continuous privacy compliance whereby your employees understand privacy, care about it, and do their bit to keep it safe.
Find out more next time, with our eighth Privacy Promise – privacy by design and by default.