10 August 2021
Personal Data – Making Sense of Transfers and Processing
By Carol Tullo, OBE, Senior Consultant
The recognition of UK adequacy back in June (see Adequate at Last) allowed data protection practitioners and organisations to breathe a huge sigh of relief as one of the elements of grit in the system was removed – at least until reviewed in 4 years’ time. As the UK Government announcement stated the UK “ now operates a fully independent data policy” (see the National Data Strategy here) and how the UK uses data to drive innovation and boost the economy while balancing individual’s safety and privacy, will be watched with interest across the EEA.
I want to focus on two practical areas that have exercised clients in the past 6 months as we anticipated the adequacy decision – transfers of data outside the UK, and data processing.
There is so much confusion over the UK GDPR meanings of transfer and processing of data. While the free flow of data between the UK and the wider EEA is now eased, many do not realise that their everyday use of systems, online tools and software involves potential transfer under UK GDPR. The starting point is always the privacy notice and terms and conditions in signing up to any new service. So many are based outside the EEA often in the US. Using Eventbrite or Mailchimp or just MS Office involves transfers out of the UK as data will be processed in servers based around the world and in the US. Provided there are safeguards built in and respective acknowledgment of the importance of data protection, then the risks are mitigated and how often have we heard “but everyone uses [ insert name]”! That it is a standard go to service does not make your obligations under UK GDPR any the less though it does provide some reassurance. In Data Protection Impact Assessments, we regularly see “N/A” in the completed boxes related to transfer of data. Most will interpret this by thinking “but I have no intention of picking up the data and transferring it to a third party”, but in effect that is what you are doing. Many, wrongly, assume that using their own organisation’s systems means the data stays inside the organisation. While reciprocal arrangements with the EEA are sorted, arrangements with the US are not. Too many organisations have not reviewed their privacy statements or policies since December 31, 2020 and many still refer to the protection of the US Privacy Shield, arrangements no longer valid post the Schrems Case back in July 2020 (see Transferring Data Abroad the Implications of Schrems).
Similarly this transfer involves “processing” which has a broad definition and includes the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction of data. So merely allowing a supplier of a software tool to store personal data of your staff or clients to enable you to use all the functionality of, e.g. a survey tool or accounting package, will involve processing. The data does not need to be edited or manipulated by the supplier in any form.
Simply tracking what you do with data and knowing what systems are used demonstrates a sound record of your processing. We’ve put together an essential checklist below to help and more guidance from the UK’s Information Commissioner’s Office in this area can also be found here.
- Always check out any new supplier and ensure that they meet the UK privacy standards.
- Understand where transactions involve transfer of data outside the UK and EEA and keep a record of that processing demonstrating that you were aware and assessed the implications.
- Check Data Sharing Agreements or data protection clauses are in place in any contractual arrangements.
- Raise awareness of how personal data is protected and what makes up “processing” so staff understand the data protection journey.
- If in doubt, take advice.
© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (August 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.