Substantial focus of the Data Protection Act of 2018 is on the transfer and processing of data outside the limits of the UK. According to the act, the personal data of individuals cannot be transferred to any country or region outside the European Economic Area (EEA), unless the country/region in question follows appropriate levels of data protection to safeguard the freedom and rights of the data subjects with regard to the processing of personal data. This means that data can only be transferred to those countries outside the EAA that have been sanctioned by the European Commission as having appropriate data privacy laws. These non-EEA countries include Argentina, Switzerland, Canada, the Channel Islands and the Isle of Man, New Zealand and Israel. If data is to be transferred to the US, it can be only done to those US-based businesses that have signed the EU-US Privacy Shield framework.
If the aforementioned instances do not apply, then it is the responsibility of the data controller to ensure that data is transferred only after the mandated data protection safeguards have been put into place. However, if data is being transited from one EAA member country to other and, in the process, is passing through a non-EEA country, then the restrictions don’t apply, and data can be transferred freely.
The act also covers UK businesses that outsource certain operations, and in the process, outsource users’ data outside the EU. The right of offshore vendors to download and process UK customers’ data is subject to several directives. To start with, it is the onus of the company outsourcing the data to ensure that the vendors receiving the data process and store it to the highest standards of safety.
Apart from this, all the other rules related to data handling that apply to EAA countries remain the same even in case of outsourcing and are to be duly followed. For instance, India is a major outsourcing destination for many businesses in the UK, but the country has not yet received an EU approval. Therefore, it is the obligation of the outsourcing UK-based company to verify that sufficient data protection measures are put in place and followed by the vendor in India before users’ data is processed at an offshore location.
How to protect outsourced data?
- It is advisable to include in the contract all the mandated data protection and security obligations that the vendor has to follow to ensure compliance with the Data Protection Act of 2018 as well as the GDPR. It is also a good decision to outline the penalties that may be incurred in the event of non-compliance or breach.
- Any business looking to outsource operations should choose a vendor that has adequately trained staff to handle the data as per the provisions mentioned in the act. Businesses should refrain from signing an agreement until they are completely convinced and have received a guarantee that the vendor will abide by the rules mentioned in the act.
- It is advisable to anonymize data as much as possible while transferring and storing it in offshore locations, as data security is the key to deciding whether companies are properly adhering to guidelines or not.
The new data protection laws in the UK do not have any direct impact on or forbid the transfer of data outside the limits of the UK or for outsourcing. They simply lay down certain rules that are to be followed to ensure customers’ data is not vulnerable or exploited by third parties. Therefore, it is necessary that all offshore processors follow the data privacy guidelines provided. Outsourcing companies as well as providers have to ensure that any access to the personal data of UK customers involves complete anonymization. Moreover, if the data is stored outside the EU in offshore data centres, even the personal data attributes should be anonymized.