Step 8 – “The transfer window” – data transfers under the GDPR
Every January in the UK we are used to seeing the football pundits gather to see how many millions of pounds will be exchanged in the Premiership to secure the transfer of top international player talent. The question for all employers is “will we start to see Supervisory Authorities scrutinising data transfers and flexing their muscles to impose fines on organisations post GDPR?”
Under current laws, transfers of personal data to countries outside of the EU are restricted unless one of the authorised exceptions can be applied. Those exceptions include obtaining a data subject’s consent for any transfer, utilising standard contractual clauses, transfers to approved countries, privacy shield or binding corporate rules.
The obligation to ensure that any transfer of data is handled correctly rests solely with the data controller.
Data transfers under the GDPR
The GDPR largely preserves the current requirements, but there are some significant changes. These include:
- The obligation to notify/gain approval of supervisory authority for transfers using standard contractual clauses is removed
- Introduction of the concept of a code of conduct (Article 40) or an approved certification mechanism (Article 42)
- Clarity that it is not lawful to transfer personal data outside the EEA in response to a legal requirement from a third country, unless the requirement is based on an international agreement or one of the other authorised exceptions for transfer applies; note the UK has opted out of this provision.
- Breach of the GDPR’s data transfer provisions is identified in the band of non-compliance issues for which the maximum level of fines can be imposed (up to 4% of worldwide annual turnover).
- Non-compliance proceedings can be brought against controllers and/or processors.
What can you do to help ensure compliance and mitigate risk?
There are many things that a data controller and processor might consider doing to be able to demonstrate compliance with the data transfer rules, among the most important of which is to begin with a review and mapping of key international data flows. Once data flows are understood, organisations may then (amongst other things) start to review what data transfer mechanisms are currently utilised, and assess whether these mechanisms are still relevant/ appropriate.
Organisations may also want to monitor any developments regarding approved codes of conduct and certification schemes that we mention above.
What about your background screening provider?
HireRight fully expects its customers to want to know the locations in which their EU candidate/employee data is processed, and as a result of that what data transfers may occur outside of the EU. HireRight has undertaken a programme of review to data map its processing activities and to analyse mechanisms of transfer, and this information will be made available to customers and to candidates during the screening process. HireRight has also undertaken a review of its vendor and subcontractor processing and data maps in order to understand the onward flow of data and ensure appropriate contractual, security and technical measures are in place to protect these transfers. HireRight expects to work with its clients to ensure lawful transfers utilising a mix of candidate consent, standard contractual clauses, and/or transfers to approved countries.
Customers and candidates need to have the comfort of safe transfers. No one wants to be known for record breaking transfer fees outside of the world of football!