What is the GDPR?
The General Data Protection Regulation (GDPR) came into force in all EU Member States on 25 May 2018. In the UK, it is supplemented by the Data Protection Act 2018 (DPA) which tailors how the GDPR applies in this country — for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities and lays down the functions and powers of the Information Commissioner’s Office (ICO).
Why do you need to take action?
Under the original (1998) DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.
What do you need to do as an exporter?
Exporting activity is usually just one aspect of an organisation’s activity. The organisation should have in place a procedure and should have a GDPR Compliance Statement that indicates how the organisation intends to meet its responsibilities by adapting this template to suit the individual needs of the organisation. The export department should be aware of the statement and ensure that its data processing and storing complies with it.
The export department should have been consulted in respect of the organisation’s policies. There are particular aspects of export activity that may impact on the organisation’s policies, specifically when personal data is held about individuals from other countries and/or when personal data is shared with partners from other countries. This is likely to be when sharing such data with a commercial agent, a shipping agent or other third party involved in the export process. The European Union recognises the compatibility of regulations in all EEA countries (the EU 28 countries plus Norway, Iceland and Liechtenstein). In addition, the EU recognises that certain other countries have data adequacy. So far, the list of such countries is quite short, comprising Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, The Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to the Privacy Shield Framework). These countries are deemed to have adequate legislation to comply with the GDPR regulations. Negotiations are ongoing with South Korea and Colombia. For countries that have not reached agreement with the EU, protection can be assured using standard contractual clauses, for data transfers within a group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure. In all cases, the exporter needs to take steps to ensure that data is handled legally and should be able to produce evidence of compliance. They must be able to show that they have sought permission to collect, store and use personal data.
Some exporting companies invite end users to register their ownership of products, usually for reasons of warranty or service. Where the end user is a resident of another country, the organisation needs to ensure that the handling and processing of data is compliant with the law.
You need to know if data being processed is part of GDPR. See our GDPR Flowchart.
You need to document your data processing. This will usually mean following the procedures laid down by the organisation. The law allows for six lawful bases for processing, and the legal reason needs to be clearly recorded.
The organisation needs to carry out a privacy risk assessment, and some aspects of export activity may be particularly sensitive in this regard. The sharing of data with organisations that operate in countries that don’t have data adequacy is an important area to consider, as is the physical transportation of such data, for example in export documents.
Consider the ongoing impact of the new regulations on export practice, and always consider the necessity of holding or sharing personal data. If it isn’t essential to do so, then don’t do it. If it is, understand the reason why it’s needed, and what the lawful base for doing so is. It is also important to note that data should only be retained for as long as it is needed. Failure to comply with GDPR can leave an organisation facing fines of up to €20 million or 4% of global turnover — whichever is the greater.
GDPR and Brexit
Given that the Government has confirmed that it will not seek an extension to the current transition period, the UK will leave the EU on 31 December 2020. Should no agreement be reached, and the negotiations so far have not gone well, then the EU will treat the UK as what it calls a third country and trade relations will continue under (basic) World Trade Organisation (WTO) rules. Any transfer of personal data to the UK will then no longer be treated as sharing of data within the Union. It will need to comply with the relevant EU rules applicable to transfers of personal data to third countries (available here). The Withdrawal Agreement provides that the personal data of data subjects outside the UK, where the data were transmitted to this country or otherwise processed here before the end of the transition period, will be protected after the end of the transition period.
There is clearly a great deal to be gained from the two sides agreeing to accept each other’s data protection rules, particularly given that they are at the moment largely identical, and it is still possible that this will be the case. Should the talks fail, however, then the Government will have to issue guidance as to how companies can legally exchange data with the EEA countries. The EU has itself noted that a transfer or a set of transfers may take place on the basis of so-called “derogations” which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.
Other useful documents
The EU-US Privacy Shield Framework was adopted in 2016 and protects the rights of EU citizens whose data is transferred to the USA for commercial reasons. The Framework places obligations on companies receiving such data to adequately protect it and provides right of redress for individuals when there is a breach of the rules.
Last reviewed 8 July 2020