Transfers of data from an EEA country to a ‘third country’ must satisfy the requirements of Chapter 5 of GDPR. Many firms rely on the EU Standard Contractual Clauses (the “Model Clauses”). The recent ICO £500,000 fine on the UK subsidiary of Equifax, following a data breach at the US parent company which affected £143 million people, contains some useful lessons, even though the relevant events predated GDPR; among the many criticisms of Equifax set out in the ICO monetary penalty notice, note that Equifax were unable to provide a signed copy of the data transfer agreement, and that the UK subsidiary had failed to audit their US parent. We know that the same criticism could be levelled against many international law firms.
The ICO updated its guidance on international data transfers in August 2018.
Article 28 stipulates several provisions which are required in contracts between controllers and processors. Where there is an international element involved, many organisations are using the Model Clauses. Note, however, that there are a number of areas where these do not meet the requirements of Article 28.
Brexit, with or without an agreed deal, will present challenges to compliance in managing dataflows from Europe to the UK and beyond. Firms will need to re-examine their arrangements over each link in the chain of data transfers and implement appropriate mechanisms. The wording of the draft withdrawal agreement is unclear: much will depend on whether the UK secures an adequacy decision during the Transition Period.
Links to several advice documents from HM Government, the Law Society and the Solicitors Regulation Authority (SRA) on data protection are on our Data page (see link above).‹ Back to Publications