Transferring personal data overseas

ICO publishes new guidance to help businesses

IP image

Businesses wishing to transfer UK personal data to recipients outside the UK will welcome new guidance from the UK Information Commissioner’s Office (ICO) on how to manage such transfers.

The guidance covers the UK data protection rules which protect an individual’s personal data when they are transferred out of the UK, as such data is potentially no longer protected after the transfer.

The guidance takes users through the requirements to ensure protection remains in place for individuals’ data on such transfers.

One possibility is that the country or territory the data is being transferred to satisfies the UK’s ‘adequacy requirements’. Under that regime, the UK recognises EEA countries (the EU member states, plus Iceland, Norway and Liechtenstein) as having adequate data protection laws. It also continues to recognise those non-EEA countries that the European Commission recognises as adequate, and a limited number of other territories.

If the adequacy requirements are not satisfied, the transferring organisation must put ‘appropriate safeguards’ in place to protect that data. Among the many options are, for example, inserting standard contractual clauses (SCCs) prescribed under UK data protection laws into data transfer agreements with non-UK recipients.

Organisations that transfer personal data out of the UK can check out the new ICO guidance.