How to Protect Personal Data When Moving It Between Countries while working in a Global Company

The upcoming EU GDPR introduces a relatively new method of ensuring adequate protection for personal data when it is transferred to countries outside the European Economic Area between different sections of the same corporate group.

These are known as “Binding Corporate Rules” and are seen as the new gold standard of intra-company data protection standards.

These were developed because using constant repeated contractual arrangements is not a cost-effective or practical way of legitimising international transfers for data-reliant organisations operating across the globe.

Essentially, a set of BCRs must be based upon European Privacy standards and include the following:

Continue reading

General Data Protection Regulation

The Sea-Change of the Concept of Privacy and its Consequences

"Privacy". It's all the rage nowadays. More and more laws are being drafted for purposes of protecting personally identifiable data, not least the massive upcoming EU General Data Protection Regulation.

But while Privacy may be becoming increasingly valued in the era of "big data" - where giant multi-national corporations devour information to fuel in-house machine learning and other forms of normative Artificial Intelligence - that certainly wasn't always the case. Not until quite recently in fact.

"Privacy" as a concept didn't even exist in formative English common law (beyond very limited torts). In fact, apart from the embryonic 4th Amendment to the U.S Constitution, the weren't any decently strong protections for privacy in the Western world until the passage of the European Convention on Human Rights. Article 8 of the ECHR may in theory ordain a right to privacy but it has so many qualifiers:

"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

Before the information age, privacy really wasn't seen as a big deal, especially compared to the unqualified rights portrayed in the ECHR such as freedom from torture, right to a fair trial etc that were deemed a far higher priority to protect. But that's all changing now.

Continue reading

When Do You Actually Need a Data Protection Officer under the GDPR?

You can hear the rumbling on the horizon. That's right, GDPR is coming. But no need to panic; as long as you're aware of what exactly you have to comply with - and make solid, demonstrable steps towards compliance - you should be fine.

So with that in mind, let's focus on one of the absolute key areas of the legislation that has organisations concerned. That's right; appointing a Data Protection Officer. Basically, according to Articles 35-39 you must appoint one in three specified situations:

  • where processing is carried out by a public authority;
  • if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale; or
  • if the core activities consist of processing special categories of personal data on a large scale.

Now, that may seem simple enough. But statutes always seems simple until you actually have to apply them. For example, what do they mean by "core activities" or "large-scale" or "regular and systematic monitoring"? There's no real body of case law to help us after all.

Have no fear, because in December 2016, the Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) helped clarify all of this.

Continue reading

What are my Obligations under the GDPR

Personal Data Breaches

What are my Obligations under the GDPR?

EU General Data Protection Regulation_Cyber Major

Preparing for GDPR

Preparing for GDPR - What's the Deal on International Data Transfers?

I'm sure you've heard about it by now, but if not - the upcoming EU General Data Protection Regulation puts in place stringent new standards for ensuring adequate safeguards for most international transfers of personal data.

Basically, apart from in all the situations explained later in this article, you can only transfer personal data to other countries by legally protecting it - mainly through "model contractual clauses" issued by the EU Commission or using "binding corporate rules" with specific information requirements to lock into place adequate data protection standards when that data is processed in other countries.

Now, as alluded to earlier, these extra safeguards don't apply if you're transferring data to EEA countries (all the EU member states + Norway, Iceland and Liechtenstein). They don't apply either to a specific list of other countries which have been deemed to have "adequate" data protection laws and regulatory structures already in place by the EU Commission. These countries are: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

Continue reading

Get in Touch

  • Phone
    0207 458 4088
  • Email
    This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Address
    40 Bank Street, Canary Wharf
    London, E14 5NR