Europe's General Data Protection Regulation (GDPR), operative May 25, 2018, governs not just how your company protects the personally identifying information (PII) of EU citizens and residents, but also from whom. The rule clarifies that mandatory PII protections extend beyond local data storage and usage to also include data transfer across borders to third parties and beyond. Your obligation to keep your EU data safe now requires you to also ensure that it will remain safe wherever and with whomever it ultimately ends up.
Identifying "Adequate" PII Protection
As the GDPR becomes operative, nations and corporations are making changes to bring their operations into compliance. Fortunately, because the rule applies in virtually every global region, the GDPR Commission recognizes the need to respect the methodologies that entities devise to make their enterprise compliant with it. Accordingly, Commission has outlined three basic frameworks for establishing "adequate levels of PII protection," and non-EU entities can determine which of the three best fits how they do business.
The GDPR acknowledges that some non-EU states already have adequate domestic legislation in place for protecting EU PII, so data transfers can continue to those areas with no obligation to add further safeguards. So far, only 11 international jurisdictions qualify. In the U.S., corporations that implement the rules set out in the "EU-US Privacy Shield" demonstrate an adequate level of protection of EU-based PII.
Parties to contracts can agree to abide by GDPR regulations, and the Commission offers specific contract clauses for data controllers depending on where and to whom they are sending the information. There are two sets of standard contract clauses for use by internal EU data controllers with the data controllers of their external (outside the EU) contracting partners, as well as one set of clauses for use by internal EU controllers with external data processors.
The suggested language lays out the minimum information that should be specified in the transfer contract and gives the contracting parties the right to declare the substantive data protection rules they choose so long as those contain appropriate and sufficient data protection principles.
Binding Corporate Rules (BCR's)
In the absence of both appropriate legislation and contract language, your multinational entity can still become GDPR compliant by adopting BCRs. BCRs act like an internal code of conduct and apply across your corporate body, including its subsidiaries, branches and other business types, wherever they are located. There are separate BCRs for Controllers (BCR-C) and Processors (BCR-P), so if your entity is one or both, it must demonstrate effective BCRs for all that are applicable.
To be determined GDPR compliant by BCRs, your company must have them approved by an appropriate European Data Protection Authority (DPA). To qualify for approval, the BCRs must contain:
- An assertion of your corporate privacy principles as those relate to data protection and security, the transparency of its data management practices and how it manages data quality.
- A statement that defines how your enterprise establishes and maintains its privacy practices, including the tools it uses (software, training, systems, etc.).
- Elements that prove how your rules are binding on all aspects of the company. These elements cover the myriad of concerns that arise when private data is shared, such as how the transfer affects third-parties and accountability standards, and how data subjects can lodge complaints.
Note that the general PII transfer rules do not apply to data exchanges that occur in the law enforcement sector, which includes the transfer of Passenger Name Records for international travelers and records related to the Terrorist Finance Tracking Program.
Doing business with EU entities will require added attention to data protection and privacy, but larger markets and increasing revenues should more than justify the investments your company makes to put those protections in place.