The Privacy Guy – Privacy Promise 7 – International

The rules in relation to personal data are different from country to country. This has the potential to make the lives of some companies complicated. Which rules apply? How can we make compliance easier? How can we make sure that personal information is protected, wherever it travels? What if the way we process personal information is right in one country, but wrong in another?

By Nigel Jones

Co Founder of The Privacy Compliance Hub

March 2020

The answer to all these questions raised by international transfers of personal data is to have in place a comprehensive privacy protection programme which makes it easy for you to demonstrate your compliance, wherever personal data is being processed.

Make your people understand, care and do

The most important thing in any privacy protection programme is your people.  The people in your organisation need to understand the risks inherent in some international transfers.  Once they understand, they will care.  And if they care they will do what they can to help.   At The Privacy Compliance Hub, we provide a simple platform to make people understand and care.  Our comprehensive privacy compliance programme is based upon our unique Eight Privacy Promises.  Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.

Privacy Promise 7 – We only send personal information to safe places

Or, in other words, we promise to only transfer personal information to countries that ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

What The Privacy Guy needs you to understand

The Privacy Guy needs you to understand that the GDPR imposes restrictions on transfers of personal data.  Such restrictions apply in the EU and the UK (which by virtue of the Data Protection Act 2018, has adopted the same rules as in the GDPR).

When a transfer is being made outside your country you need to make sure that there is an adequate level of protection for personal information in the country to which the personal information is being transferred.  The EU has deemed some countries as having an adequate level of protection (eg New Zealand), but has not deemed the level of protection in other countries as adequate (eg Australia).

Given that the UK has now left the European Union, for data controllers in the UK, the situation with transfers outside the UK has become more complicated and the UK and the European Union will have to try and negotiate arrangements by which they deem each others’ protection levels as adequate.

Why The Privacy Guy thinks you should care

At home, you would care if your personal information was being sent to countries with outdated or inadequate data laws.  You may worry that your personal information may not be safe in such countries. Or you may be uncomfortable if it appeared easy for the governments in such countries to see your personal information.

If you are uncomfortable with such things at home, you should take care to make sure that you are looking after personal information at work.  So what should you do?

What The Privacy Guy needs you to do

You need to make sure that you consider whether you need to transfer the personal information in the first place.  If you do, do you need to transfer it to a certain location, or are there other locations which are safer? For example, when using a cloud hosting provider you often get a choice over whether your data can go to the USA, or whether it stays in a European location.  The situation is the same with VPN providers where you can choose which server to route your data through.

You should make sure that individuals whose personal information you are processing know where their personal data is being processed.  If you are using a cloud hosting provider outside the EU then you should make them aware of this in, for example, a privacy notice.

Finally, you need to make sure that you have in place all the other protections that you need to have in place for transfers to third parties within your country.

“We weighed up all the pros and cons, ease of use, quality of service and content. We found the sweet spot with the Privacy Compliance Hub”.

Jacob Herandi, Finance Project Manager, Wayhome

Read more

A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  International transfers of personal data is just one aspect of privacy compliance, but should be an important part of any privacy compliance programme. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.

More to watch and read