Data protection is about identifying and managing risk around the use of personal data. For example:
- GDPR makes many references to compliance measures that are “appropriate in the circumstances”.
- A Data Protection Impact Assessment is basically a risk assessment.
- ICO guidance regularly recommends or incorporates risk management techniques.
International personal data transfers inherently carry a degree of risk for two reasons: first, personal data is being transferred out of the protected legally protected domestic environment to a separate jurisdiction where data protection laws might not apply; and second, the authorities in the transferee jurisdiction might have powers to command access to personal data or the might to override legal controls.
To guard against the unauthorised access to personal data in third countries (those other than the UK and EU member states) GDPR, like its forerunner, the 1995 Data Protection Directive, imposes controls over what it terms restricted transfers.
In June this year the EU published its updated Standard Contractual Clauses for restricted data transfers and in August the Information Commissioner’s Office (“ICO”) published its own draft proposals for similar Clauses.
The ICO has gone a step further than the European Commission and published a draft risk assessment tool for restricted transfers of personal data. Currently seeking views on the consultation documents they can be seen here.
The outline of the Transfer Risk Assessment is that it is split into three parts:
- The details of the proposed restricted transfer including the type of personal data, categories of data subject, purposes of transfer as well as specifics relating to security during transit and in the hands of the transferee organisation.
- Specifics relating to the destination country including the privacy safeguards in place, its justice system, any laws regulating third party access to personal data and its human rights record.
- The potential impact of the transfer on the data subjects concerned and any risk of potential harm to them.
In comparison to the European Data Protection Board’s guidance on supplementary measures required when making restricted transfers on the basis of Standard Contractual Clauses or Binding Corporate Rules, this is a gritty, practical approach to risk assessment, taking into account all relevant factors. It also remains true to the underlying principle of risk management in data protection.
For help understanding the issues in this area or support implementing compliance controls contact us at Data Protection Consulting.
Mandy Webster, Data Protection Consultant