As customers are beginning to realise the value of their data, they are increasingly concerned about protecting their data the best they can. The General Data Protection Regulation (GDPR) came into force in May 2018, and became somewhat of a household term. The EU’s new data protection laws are complex, and they come with many important caveats including the transfer of user data overseas.

Despite the numbers of users becoming more aware about how their data is stored online, 69% remain happy for brands to use their personal information to share offers they might like. Also, 49% stated that they would be happy to share their data with brands they trust. So, as long as your company complies with new GDPR rules and stores data securely, customers will continue to trust you.

Key takeaways from the GDPR

GDPR is much more than a term you might pretend to nod knowingly about as yet another salesperson convinces you of your data’s security with their company. What follows are some of the most important parts of the legislation, according to Experian.

  • There is a clear “right to be informed”. Customers now expect to see clear written communication about what will be done with their data, even if they do not elect to read the document. Responsibility is now on each company to provide users with this information.
  • There is now a “right to erasure”, also known as the “right to be forgotten”. This provides users with the power to request deletion of their personal data, as long as it is not needed by the company in order to provide their services.
  • Businesses will now be under legal obligation to appoint a DPO (data protection officer). It will be their role to ensure that the company complies with all implications set out under the GDPR.
  • All companies will have to undertake GDPR Protection Impact Assessments. This includes the responsibility to report data breaches to the ICO (for UK based companies) within a 72 hour timeframe. In sensitive and high-risk cases, it will be necessary to consult impacted parties without delay.

In which cases can EU citizen data be transferred to a non-EU state?

Data transfers, according to article 44 of the GDPR regulations, are allowed to take place if the receiving country is deemed to have an “adequate” level of personal data protection. This is in line with the European Commission’s guidelines.

Transfers are allowed towards non-EU countries without an adequacy decision under some contractual clauses or binding corporate rules.

Some of the cases in which transfers might be allowed without an adequacy agreement include the following:

  • Data can be transferred with the data subject’s permission, providing that they have been briefed on the risks associated with the transfer of data without an adequacy decision.
  • The transfer is necessary to be able to meet the terms of a contract agreed between the data subject and the data holder.
  • The transfer is needed for reasons within the public interest.
  • The transfer is needed to exercise legal claims.
  • The data transfer would protect the vital interests of the data subject, in a case where they are physically or legally incapable of giving consent for the transfer.

Which countries have been given an adequacy decision?

Currently, the following list of regions have been approved by the GDPR in terms of having data security which is effective enough to handle data transfers:

  • Andorra
  • Argentina
  • Canada
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay

There are a number of ways a state can try to improve its data security practices and receive an adequacy decision. These include but are not limited to the following:

Demonstrating that changes to database structure can be identified and reported to compliance auditors.
Developing ways to prevent data loss, whether this be through blocking attacks and malicious activity, or identifying unusual data requests.
Masking data through encryption or encoding.
Triggering alarms as soon as any unauthorised access to data is achieved.

Companies need to be extremely careful to comply with the new regulations set out by the GDPR, and by law are required to hire personnel to help with this. Data transfer across borders to non-EU states is a complicated matter as suggested by this overview, and great care must be taken by data subjects as well as companies - the data holders.

Data Privacy Day falls on 28th January each year, and it is a great time to refresh yourself on some of the key topics to do with data protection.