What is the GDPR?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and replaced the current Data Protection Act 1998 (DPA).
Why do you need to take action?
Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.
What do you need to do as an exporter?
Exporting activity is usually just one aspect of an organisation’s activity. The organisation should have in place a procedure and should have a GDPR Compliance Statement that indicates how the organisation intends to meet its responsibilities by adapting this template to suit the individual needs of the organisation. The export department should be aware of the statement and ensure that its data processing and storing complies with it.
The export department should have been consulted in respect of the organisation’s policies. There are particular aspects of export activity that may impact on the organisation’s policies, specifically when personal data is held about individuals from other countries and/or when personal data is shared with partners from other countries. This is likely to be when sharing such data with a commercial agent, a shipping agent or other third party involved in the export process. The European Union recognises the compatibility of regulations in all EEA countries (the EU 28 countries plus Norway, Iceland and Liechtenstein). In addition, the EU recognises that certain other countries have data adequacy. So far, the list of such countries is quite short, comprising Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, The Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to the Privacy Shield Framework). These countries are deemed to have adequate legislation to comply with the GDPR regulations. Negotiations are ongoing with Japan and South Korea. For these countries, compliance with national regulations should be sufficient to ensure that sharing data with others meets the requirements of the law. In other cases, the exporter needs to take steps to ensure that such data is handled legally and should be able to produce evidence of compliance.
Some exporting companies invite end users to register their ownership of products, usually for reasons of warranty or service. Where the end user is a resident of another country, the organisation needs to ensure that the handling and processing of data is compliant with the law.
You need to know if data being processed is part of GDPR. See our GDPR Flowchart.
You need to document your data processing. This will usually mean following the procedures laid down by the organisation. The law allows for six lawful bases for processing, and the legal reason needs to be clearly recorded.
The organisation needs to carry out a privacy risk assessment, and some aspects of export activity may be particularly sensitive in this regard. The sharing of data with organisations that operate in countries that don’t have data adequacy is an important area to consider, as is the physical transportation of such data, for example in export documents.
Consider the ongoing impact of the new regulations on export practice, and always consider the necessity of holding or sharing personal data. If it isn’t essential to do so, then don’t do it. If it is, understand the reason why it’s needed, and what the lawful base for doing so is.
Other useful documents
The EU-US Privacy Shield Framework was adopted in 2016 and protects the rights of EU citizens whose data is transferred to the USA for commercial reasons. The Framework places obligations on companies receiving such data to adequately protect it and provides right of redress for individuals when there is a breach of the rules.
Last reviewed 28 May 2018