What the ICO says –
“If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.”
What does this mean for your organisation –
These 12 Days of GDPR snippets have primarily been based loosely around the “12 Steps to Take Now” included in the “Preparing for the General Data Protection Regulation (GDPR)” available from the UK ICO website. Within that document the section on International is unbelievably vague and convoluted and because of that I am going to step a little outside of the document scope as international can mean several things under the GDPR umbrella.
Firstly, by way of the document mentioned, if your organisation operates in more than one EU Member state then your organisation needs to decide which supervisory authority (SA) is to be its lead authority. This can be best decided by using the SA where your head office or the main central point of data processing is based.
If you are a non-EU organisation and you are offering goods and/or services (even free ones) to an EU citizen/resident, then International means you must appoint a representative within the EU to advise and manage data protection compliance for your organisation regarding the EU aspects. BMGUK Consultancy Ltd is very well placed to handle this for your organisation, just get in touch to sort that.
If you are an EU organisation and you trade or operate outside of the EU, then you have an obligation to ensure that any personally identifiable information of EU citizens/residents that is transferred outside of the EU is handled in line with the GDPR. This could be staff HR data or something as simple as email addresses used as part of day to day operations. This can be a minefield if not handled correctly as the rights of a data subject are open to significant risk and ultimately your organisation is at risk of significant penalties.
Before any PII can be transferred outside of the EU then the territory it is being transferred to needs to be on your Supervisory Authority list of adequate countries, if it isn’t then the risk involved is more than significant. Don’t just assume a country is adequate as countries can and do become inadequate, so constant monitoring of your processing activities must be carried out.
That’s all folks, I hope my 12 Days of GDPR have been of some help to you. If you need more information and advice on getting your organisation ready for GDPR then please follow me and do get in touch. Merry Christmas and a Happy and Prosperous New Year to everyone.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.