International Transfers of Personal Data: Three Reasons to Take Action Now

There are (at least) three good reasons to act now to make sure your company’s transfers of personal data are in line with the different requirements which come into force during the course of 2022:

  1. Customer opinion: Customers are aware of the requirements and will expect you to warrant that your international transfers are compliant. Frankly, customers will also expect you to be able to include the correct clauses in your contracts.
  2. Due diligence: International transfers of personal data will be reviewed as part of any audit or due diligence process so will certainly be relevant for companies seeking investment.
  3. Regulator interest: International transfer of data is are a hot topic at the moment and if it is not addressed properly, could be seen as an aggravating factor in the event of a breach of your regulatory

Clarity now after a period of uncertainty

If your business transfers personal data collected in the UK and Europe to other countries such as the US, you may have been watching the many changes in the laws following the decision in Schrems II in the summer of 2020.

The good news is that after a long period of uncertainty around international transfers, we now have new standard contract clauses published by both the EU and the UK, plus clarity around how to analyse and document the security of the data being transferred in transfer impact assessments. So now is a great time to put your house in order.

Timing – let’s get going!

The new UK templates must be used from 21 September 2022. The new European standard contract clauses need to be replaced in contracts by the end of December 2022. Many companies are finding there is quite a lot to do before then.

What needs to be done

To summarise the process, companies need to review their flows of personal data to identify transfers of data collected from the UK and Europe to other territories. For those transfers, the right transfer mechanism needs to be identified (which is usually reliance on standard contract clauses). The next step is to dig out and update the relevant contracts, run transfer impact assessments, and document and review this process.

How we can help: We are data protection and privacy experts with years of experience working for multinationals. Our years of in-house experience mean that we give clear advice and practical solutions. We won’t trouble you with the ins and outs of the law (even though we secretly love that). We take the pain out of privacy compliance for our clients.

Leave a Reply

%d bloggers like this: