The UK and EU GDPR (General Data Protection Regulation) restrict transfers of personal data outside the UK and EU respectively.
Consequently, you must put an appropriate mechanism or safeguard in place to transfer personal data internationally, such as:
The IDTA (international data transfer agreement);
SCCs (standard contractual clauses); or
BCRs (binding corporate rules).
Let’s take a closer look at these mechanisms, and when and how to use them.
In this blog
When and how do I use SCCs/the IDTA?
What are SCCs and the IDTA?
Article 46(2)(c) of the EU GDPR allows for “standard data protection clauses adopted by the [European] Commission”. These are your ‘SCCs’ or ‘standard contractual clauses’.
Post-Brexit, the UK introduced its own version of these model contractual clauses: the ‘IDTA’ or ‘international data transfer agreement’, but the same principles apply to both.
Organisations can use these model contractual clauses to comply with their Article 28 requirements around processor contracts.
But they’re also a safeguard for international transfers if used correctly. Here are some points to consider:
Select the correct model clauses – the clauses are different for data controllers vs processors, and differ depending on the countries you’re sending data to.
You can’t amend or remove the mandatory clauses of the IDTA/SCCs, but can amend their commercial terms, provided that they don’t change the meaning of the pre-written clauses. If you want to modify other aspects of the agreement, you’ll need to create a new contract.
The clauses only apply to the data processing activities set out in the SCCs/IDTA. So, you must draft new contracts every time the activities change.
You must complete a risk assessment, which will tell you whether you can proceed with the international data transfer. These are called:IDTA: the TRA (transfer risk assessment).
SCCs: the TIA (transfer impact assessment).
Bear in mind that both the IDTA and SCCs are legal contracts. As such, we urge organisations to consult a data protection lawyer when creating them – because oversights in their terms or clauses could cause major problems.
When and how do I use SCCs/the IDTA?
SCCs and the IDTA work well:
For organisations likely to participate in two-way data sharing; and
In internal personal data transfers where the processing is straightforward.
However, in most cases, if the country you want to send personal data to has an adequacy decision, it makes more sense to rely on that.
You also wouldn’t use SCCs or the IDTA if you’re an international organisation with an ongoing and/or complicated set of internal personal data transfers to undertake. This could quickly tie you up with hundreds of SCCs to cover each pairing of entities, and each of your processing activities.
In such a scenario, BCRs are usually more suitable.
Want to get future insights like this straight to
your inbox? Subscribe to our free weekly
newsletter: the Security Spotlight.
What are BCRs?
BCRs are a set of internal rules (a bit like a code of conduct) that regulate international personal data transfers within a single multinational.
They also act as a public acknowledgement of the privacy rights of individuals whose data is being processed. This can improve the organisation’s reputation among potential data subjects and other stakeholders.
BCRs can be cumbersome to implement, because they cover a much larger and more complex set of processing activities than SCCs. That said, you just need one set of rules, so long as:
These are properly integrated into all data privacy laws you may need to comply with, including the UK and EU GDPR; and
You have the correct supporting documents to go with them, like:A list of covered entities;Data privacy policies and procedures;Data protection audit plans; and
Guidelines for employees.
This can make BCRs particularly suitable for large organisations that operate in many different countries or territories.
When should I implement BCRs?
BCRs can apply to both controller and processor agreements/processing activities (of that single organisation).
And once implemented and approved by the supervisory authority (which we’ll get to below), BCRs have advantages like:
Making data protection an integral part of your organisation’s processes;
Reducing compliance costs when you make changes to your processing activities; and
Providing flexibility when you introduce new products or services (which usually changes your processing activities).
How can we use BCRs?
The UK ICO (Information Commissioner’s Office) and European Commission regulate the use of the UK and EU BCRs respectively.
Organisations that want to use EU BCRs must apply to a relevant supervisory authority to have their rules approved. The organisation must also designate a lead authority, who:
Advises other affected authorities, such as those in all EU member states where the organisation has offices; and
Facilitates the authorisation process with other applicable data protection authorities.
To use the UK BCRs, organisations must apply to the ICO. The regulator’s website has more information on the application process.
BCRs can take 12 months or more to complete and, without legal assistance, can become onerous and extremely time-consuming.
Let GRCI Law help
Our sister company GRCI Law offers GDPR Contract and Legal Services, including reviewing, drafting and/or updating your SCCs/IDTA and BCRs.
We can advise whether SCCs/the IDTA or BCRs are most appropriate, and help you implement them to bring your data transfers in line with the GDPR and other data protection laws.
We can also help you negotiate the complexities of international data transfers and ensure you have the right safeguards in place, including:
TRAs and TIAs for the IDTA/SCCs; and
Managing BCR registrations with supervisory authorities.
Why use GRCI Law?
GRCI Law is a specialist legal and compliance consultancy – we only advise on data protection and data privacy matters – with decades of experience and a solid track record.
We have extensive experience working in data protection law, including:
Writing contracts;
Enabling GDPR compliance; and
Dealing with supervisory authorities.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
Because we don’t provide these reserved legal activities, we’re able to offer you high-quality, specialist advice at competitive rates.
The post GDPR: International Data Transfers Using the IDTA, SCCs or BCRs appeared first on IT Governance UK Blog.
