Data hosting and transfers post Schrems II and Brexit
The good news is that some of the uncertainty around holding personal data outside the UK and transferring it between the UK and the EU/US after the end of the Brexit transition period and the Schrems II court ruling has started to resolve itself.
Data Transfers between the UK/EU
The EU has issued a draft decision confirming that it will regard the UK as a safe place to hold/transfer personal data. That means that your EU customers should remain comfortable transferring their personal data to you in the UK and if it’s held here. While that decision is not yet final, it is a very positive step for UK business.
Some time ago, the UK confirmed that UK businesses could continue to transfer data to the EU without taking additional steps. That said, you will need a data processing agreement with your service providers that contains all the required provisions.
Data Transfers outside the UK/EU
When your business holds/transfers data outside the UK/EU (especially to the US) there are some practical steps you need to take:
- Review and document what personal data you hold/transfer, in and to what countries and by what means (e.g. HR software, CRM system, Google, Slack, etc).
- If you’re handling/ transferring consumer data or sensitive data such as children’s or health data, these are higher risk, so you’ll need to take extra steps to ensure your data storage/ transfers are compliant. If you haven’t already, we’d recommend a proper data transfer impact assessment.
- Check you have contracts in place with each provider and that where required they include standard Contractual Clauses (SCCs) (you’ll need them for data transfers to the US and for other countries that don’t have an adequacy decision).
- If you don’t have SCCs in place or were relying on the Privacy Shield for US transfers, you need to put SCCs in place now.
For data transfers to any countries that do not have an adequacy decision (such as the US), you’ll need to perform a risk assessment which includes looking at the data protection laws in that country, assessing the potential security or privacy risks in transferring the data there and what steps you’ve taken to mitigate any such risks. But don’t panic yet, the ICO will be issuing guidance on how to do this.
Also, the format of the SCCs is being reviewed in the UK/EU and will change so they align better with GDPR. You can continue to use the existing version of SCCs now so don’t delay in putting them in place with your existing suppliers where they are needed. When the new SCCs are published, you’ll have up to 1 year to replace the old version with the new ones.