Although the UK is no longer an EU member state there are influences arising from our former membership that remain with us and which will shape new laws and regulations. A consultation just launched by the Information Commissioner's Office serves as a reminder of that.
There are a great many cases where businesses process personal data in a way that involves the data crossing international borders. The fact that this is happening may not even bring pause for thought - finding out how a service provider such as an email management service or a chat service provider manages the data requires wading through terms and conditions and privacy notices to identify the key detail.
The European Court of Justice decision in Schrems II has created a completely new dimension to the responsibilities that the business community has - by clarifying the responsibilities of a data controller to undertake a risk assessment in relation to its international data transfers where the destination country has not been adjudged by the UK as having adequate protection for personal data or the few specific exemptions that exist cannot be relied upon.
The ICO consultation materials include a potentially valuable transfer risk assessment ("TRA") tool to help businesses address the risks involved in international transfers. In addition, we will need to get used to new terminology. Whilst standard contractual clauses will still feature in the language of data practitioners when dealing with the EU, our regulator's model clauses are to be found in an "International Data Transfer Agreement" (IDTA).
However, it is the area of risk assessment that is recognised by ICO as the most challenging part of international data transfers. This will be the case particularly for SMEs. How can businesses get to grips with understanding the legal regimes in perhaps many other territories? And remember it's not just about whether laws exist, ostensibly protecting personal data but its also about the effectiveness of enforcement and risks such as arise from surveillance activities.
A further problematic area is where under an IDTA, when completing this, you learn that your data processor relies on storing data within a data centre in yet another different non-adequacy adjudged territory.The processor may be unable to meet the requirements of the IDTA in consequence.
There should be no surprise that frequent reference is made in the consultation document to the need for specialist legal advice.
One aspect of the consultation that larger businesses will want to see addressed through consultation responses is the question as to whether data transfers to and from group legal entities in other legal jurisdictions need to be treated so stringently. ICO is open to considering the potential for simplification in this area.
The consultation may be accessed here https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/ and is open until 5pm on 7th October 2021.
In line with our Regulatory Action Policy, if you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of Chapter V UK GDPR.