If you are doing business in Europe you are undoubtedly seeking GDPR assessment and accreditation services. You may have already guessed that between the preparation costs to get ready for a GDPR audit as well as the a third party assessors to audit and certify your company, the expenses exponentially begin piling up.
When implementing the GDPR, international transfer of personal data is one of the biggest challenges for a group of companies. This is because, usually, the company members share personal data between each other or send personal data to a group of enterprises engaged in the same economic activity which are not always located in the EU or in a country recognised for offering adequate protection.
Want to see how you prepared you really are?
Take our FREE GDPR readiness assessment and download your report today. Follow this link to create an account and see how compliant with GDPR you really are!
Just the facts ...
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data.
The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
Find out more by calling +1 (888) 896-7580 today.
A presence in an EU country. Any company that has an actual physical business location in any EU country must comply with the new GDPR requirements.
No presence in the EU, but it processes personal data of European residents. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
More than 250 employees. A smaller business provider may be exempt from the GDPR requirements however other factors may mandate your compliance.
Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
It is all about the data! Discuss the implications to your business with a Lazarus Alliance Cybervisor.
Binding Corporate Rules or Standard Contractual Clauses?
Standard Contractual Clauses
What is it?
Contract between two legal entities.
It allows the transfer of personal data from EEA to third countries not recognized as offering adequate protection.
Not required. Transfers based on the SCC may be made without requiring further authorization from the DPA.
Enables data subjects to exercise contractual rights even though they are not a party to the contract; and, the recipient agrees to be subject to EU DPA and courts.
- Provided by the CoE. Ready to be used.
- Can be added to main agreements;
- Good for a particular data flow;
- Best solutions for small companies.
In cases of large companies to put in place, hundreds of model clauses will result in high administrative costs; file, storage, review, and keep up to date.
or Binding Corporate Rules
What is it?
Compulsory code of conduct within a group of companies or group of enterprises engaged in the same economic activity.
It allows the transfer of personal data from EEA to third countries not recognised as offering adequate protection.
Required. But only by the lead DPA. No additional authorizations are required, and a uniform approval mechanism is set by GDPR.
The BCR must be legally binding. The companies based in the EU are liable for breaches committed by any member not located in the EU.
Tailor Made. Allow large number of data flows for various purposes. Dealing with one DPA. No contract for each transfer. Plenty of EU guidelines. Good PR.
The final validation can take one year or more. Big expense; however, the cost is less than other ways of handling transfers. Not valid for transfer to third parties.
Find out more by calling +1 (888) 896-7580 today.
Now, there are several options to transfer Personal Data outside the EU. However, for companies with members or business partner located in third countries not recognized as offering adequate protection -because of Brexit may include the UK- the most cost-effective legal options available are Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCR”).
By using the Standard Contractual Clauses, data controllers can export the data to recipients in third countries by agreeing and signing the SCCs; by using the BCR, the group of enterprises will be able to use their internal rules for international transfers of personal data within the same corporate group or business partners located in third countries with not an adequate level of protection.
Both mechanisms are subject to provide the supervisory authorities with enough proof that adequate safeguards are in place; and under any circumstance, the instruments are allowed to replace the data protection obligations bound by law.
Transborder data flow is a transfer of personal data to a recipient who or which is subject to a foreign jurisdiction. Article 44 of the GDPR states “any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization (…)”
For instance, a simple email containing personal data is sent to a group internal email address, which includes addresses located outside the EU*, already forms an international data transfer.
So, first, it is important to determine the data that an organization collects and process (Data Mapping), covering the categories of data held and processed by each of its departments and the data transfers and disclosures between them and third parties.
The next step would be to define whether the personal data is being transferred to a country outside the EU**; for that, the following points may help your perusal:
- Storage Place of the Personal Data
- Countries or jurisdictions from which the personal data may be accessed
- Entities to which the personal data may be disclosed and the legal grounds for the disclosure
- List of countries or jurisdictions involved in cross-border data flow
Now, due to the increased digitalization and adoption of technologies -e.g. cloud services and data analytics- and, the implementation of regulations with international scope, there is a strong possibility that an organization is transferring personal data abroad on a daily basis.
In view of the above, note that when transferring data internationally the principle of adequate protection has to be respected. In the absence of adequacy decision, Standard Contractual Clauses (“SCC”) Binding Corporate Rules (“BCR”) and specific derogations are alternative transfer tools.
Also note that because of the GDPR, SCCs will also be available for EU based processor and processor in a non-EU country, BCRs will also be available between business partners and it introduces new instruments for international transfers: “Approved Codes of Conduct” and “Certification Mechanism”.
Start working smarter not harder today ...
There is no one-size-fits-all approach, the assessment of which mechanism is the best to enable the free data flow within an organization or between partnership companies shall be done in a case by case basis. Otherwise, a company can implement a mechanism that does not match its needs and can increase its costs without justification or not cover all its activities bringing substantial legal, operational and reputational risk.
The General Data Protection Regulation (GDPR) professionals at Lazarus Alliance are completely committed to you and your business’ GDPR compliance success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.
Call us at +1 (888) 896-7580 and speak to a GDPR professional today.
What does that mean for Lazarus Alliance clients?
The General Data Protection Regulation (GDPR) represents a paradigm shift in global privacy requirements governing how organizations manage and protect personal data while respecting individual choice—no matter where the data is sent, processed, or stored. It introduces new requirements on privacy, security and compliance for organizations that offer goods and services to European Union (EU) residents.
Organizations will need to build the new requirements for security and privacy into their business models and help thier own customers navigate the nuances of the GDPR. This creates opportunities for our clients to position their businesses as leaders in the privacy and data management space, while elevating their global impact.
By leveraging our proactive cyber security methodology and innovative technology from Continuum GRC, we help you get from start to compliant quickly and cost effectively.
We Have What It Takes!
Lazarus Alliance is an A2LA ISO/IEC 17020 accredited organization certification number 3822.01.