Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside the United Kingdom. Data transfers typically include the following examples:
personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to a country outside the UK;
Requirements to transfer personal data outside the UK is governed by the UK Data Protection Act 2018 (UK GDPR), and largely mirrors the European Union’s General Data Protection Regulation requirements. It is important to note that the transfer of personal data to a third country or an international organization is possible. The transfer is legally allowed where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. A transfer based on a decision of adequacy shall not require any specific authorization.
In the absence of a decision of adequacy, the personal data transfer to a third country may take place if appropriate safeguards are in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Examples of measures that can be taken include:
The BCR must contain: privacy principles (transparency, data quality, security, etc.); tools of effectiveness (audit, training, complaint handling system, etc.); and an element proving that the BCR are binding. BCR must be submitted to the UK ICO for approval.
SCC are not subjected to any authorities’ approval, the main reason why their content cannot be modified. If changes are made, the parties must submit the document for data protection authority approval.
Adopting BCR and SCC allows organizations to harmonize practices relating to the protection of personal data within a group, avoid the need for a contract for each single transfer, communicate externally on the company's data protection policy, have an internal guide for employees with regard to personal data management, make data protection integral to the way the company carries out its business.
While the UK has transitioned out of the European Union (EU) as of December 31, 2020, data transfers between the UK and other EU countries are unrestricted until June 2021. This extension is meant to enable personal data transfers between the EU and the UK until an adequacy agreement can be put in place. The adequacy agreement will allow the ongoing free international transfer of employee data between the UK and the EU (similar to Switzerland and Norway).
If the UK does not receive an adequacy decision from the EU, it will be considered a ‘third country’ similar to other jurisdictions outside the EU.
HR Best Practices: For intragroup transfers (such as access from a subsidiary outside the UK), make sure to have at least one safeguard mechanism in place: BCR “Controller to Controller” or SCC signed with the concerned subsidiary. For cross-border data transfer with processors or sub-processors, make sure such collaborators have their own safeguard mechanisms in place.
The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside the UK when an adequate level of protection is ensured and access by subsequent entities remains limited to the minimum necessary for the intended purpose.
