Back in 1987 when I joined Reuters as a relatively junior lawyer, one of my first assignments was to audit the company’s data processing activities. I spent a few months visiting senior managers’ offices around Reuters to explain the new laws in a bid to understand the data each section was collecting and storing. I would tick off various charts in the process. I no longer remember what else I did to ensure Reuters would be compliant with the Data Protection Act 1984, but it was a simple exercise compared to GDPR.
In those days there was no internet so the landscape was far less complicated than it is today even though Reuters was a large tech company. The widespread use of cloud computing and dedicated apps for functions like accounting, marketing, time recording and more had yet to develop.
Since founding Azrights there have been some data protection projects involving data breaches or creation of new databases. Often these gave rise to legal questions such as whether IP addresses, or particular postcodes were personal data, and what is involved to anonymise data in order to exploit it. However, apart from these rare instances, by and large data protection has been of low interest to clients whose main priority was to obtain documentation for their websites.
Fast forward to today, and GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with EU data protection law as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.
The recent events surrounding Cambridge Analytica and Facebook’s subsequent actions have only added to the significance of GDPR. I touched on this in a recent blog 3 Steps Every Business Needs To Take To Comply With GDPR Apart From Email Marketing.
There are many facets to GDPR, one of which is the ban on the transfer of data outside the EU. This will impact the widespread practice of using freelancers located in low cost countries like India, or the Philippines for various business functions. It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses.
What Transferring Data Outside the EEA Means
Transfers of data outside the EEA are only permitted in limited situations, such as where the recipient country ensures ‘adequate’ protection for data subjects and their personal data. It’s important to note that “transfer of personal data” doesn’t just mean the sending of personal data in the form of paper documents or emails from one country to another. Many of us are routinely transferring data outside the EEA when we:
- Communicate personal data by telephone, email, fax, letter, through a web tool or in person to countries outside the EEA;
- Use IT systems or data feeds leading to personal data being stored on databases hosted outside the EEA;
- Use freelancers or companies located outside the EEA who can access or “see” our personal data held in the EEA; and
- Outsource, offshore, use cloud computing, or third party apps located outside the EEA for various business functions.
The online world is borderless, while the GDPR laws have clear boundaries. This means we either need to find a justifiable basis for continuing our existing data transfer activities or change our practices.
The GDPR imposes substantial and onerous new obligations on all of us. Because it impacts so many routine business functions that need to be reassessed nobody can ignore it. Some of the rules under GDPR are less onerous for small businesses, but it doesn’t exempt anyone, not even micro businesses. Many organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they are busy making changes to their platforms in order to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws.
Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.
Implementing GDPR is time consuming, wide ranging, and even overwhelming. The more you do, the more you realise there is to be done. So, don’t delay. I would recommend reviewing the ICO’s resources, and if you want help, then Azrights is here to support you.
One benefit of using my guidance on GDPR is that I have a few grey hairs, and have a commercial approach to risk management. Many decisions involved in applying the GDPR regulations are not black and white. Until a body of case law develops to interpret the different aspects of the regulations, you need to make a judgment call as to how to apply the new laws to your business, what to prioritise and focus on, and how strict to be when implementing the different rules. If you want a lawyer who will help you to make sound choices I’m well placed to support you.
If you’ve not yet done so already do opt in to our GDPR updates and get our updates on how to comply with GDPR.