Just a brief note on one possible concern
about GDPR and personal data passing outside the European Economic Area(EEA).
You have to ask yourself a simple
question. Does anything I do result in personal information belonging to
someone else ( e.g. clients) being passed outside the confines of the EEA?
Whilst most of us will answer almost
immediately that it does not, you should consider again. What are your
suppliers up to? In particular what are your email servers and data back up
services up to. Are you sure that stuff isn’t going to the USA or even
Afghanistan for that matter? After all, we talk about storage in the Cloud but
hopefully none of us actually believe that it is somewhere in the ky above! Wherever it is, you can be certain that it sits on a storage device in a
country somewhere.
Data Protection Principle 8 , which
applies now by the way and not just when GDPR comes in, states the
following:-
Personal data shall not be
transferred to a country or territory outside the EEA unless that country or
territory ensures an adequate level of protection for the rights and freedoms
of data subjects in relation to the processing of personal data.
Exactly what constitutes
adequate levels pf protection is down to the European Commission. As far as I can establish, the European Commission has
so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe
Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland,
Uruguay and the US (limited to the Privacy Shield framework) as providing
adequate protection. Adequacy talks are ongoing with Japan and South
Korea.
I do not know at the time of writing whether
this list is up to date as the EU source document was in fact undated.
For most firms, the most likely area of
risk is the USA, partly because of giants like Microsoft, Apple and
many social network sites. These guys have probably all subscribed to the
Privacy Shield Framework. (Microsoft, Apple and Facebook have for example.)
The risk is to establish whether in the secret
machinations of data manipulation, any suppliers of yours are using countries
other than those above ( or in the USA, using firms that are not within the
Privacy Shield Framework). How do you do that, you ask them or you check on the
Privacy Shield web site
The law states that you cannot send personal
data to countries outside the EEA that are not recognised by the EU Commission
or in the case of the USA under the Privacy Shield Framework. ( A word of
warning, the previous framework, Safe Harbor, was thrown out by the courts in
2016 and is no longer acceptable.)
GDPR will bring this legal requirement further
into play and so as a part of your preparation for GDPR, you need to give this
matter a little consideration.
No comments:
Post a Comment