Share this:
Saving Money, Making Money.
Now I have your attention I need to admit this piece is about saving public money and obtaining best value in contracts. More particularly, how utilising the data protection regime around International Transfers of Personal Data and sub-processing, can save public money. However, it does involve consideration of the GDPR. Now you understand why I used the title I did.
The UK (and EU) has some of the strongest privacy protection laws. It is a very risk adverse position, and possibly an expensive one, for a public authority to take the strict position of “no transfers of personal information outside the UK/EEA.
For example, the following countries are acceptable (known as having Adequacy Decisions):
New Zealand
Argentina
Faroe Islands
Guernsey
Isle of Man
Israel
Jersey
Switzerland
Uruguay
If it is another country the authority should (1) use the correct contract clauses, (2) analyse gaps in those other countries systems (Transfer Risk Assessment) and (3) take steps to mitigate risks.
Transfers between the UK and US are currently problematic unless it is a very large company that has signed up to the UK-US Data Privacy Framework. If not, as with many countries, the correct contract clauses need to be used, there are two main options: The International Data Transfer Agreement or EU Standard Contract Clauses (plus UK Addendum).
It is possible to maintain GDPR compliance and transfer information outside of the UK; provided the right process and risk analysis has been undertaken. Some scenarios may conclude that personal information should remain in the UK, the risk is too high to transfer. But other scenarios may conclude that using the appropriate contract clauses mitigates the risks. I have noticed that private practice utilises risk management much more than in the public sector. Understandably areas with sensitive information should require no transfers outside the UK/EEA. However, there will be some contracts which will not deal with large volumes of personal information.
It may be that due to Brexit, in the future each transfer outside the UK will need to be assessed. This all depends on the outcome of the current Data Protection and Digital Information Bill, and the EU’s view on this. Another Toffee Club subject, I think.
A follow-on subject from international transfers of personal information is that of sub-processing. On a similar note to international transfers; it is easy and simple to draft a contract excluding sub-processing. However, if the situation is carefully considered, it is possible to enable sub-processing whilst still protecting personal information.
The Key Take Away is that for small contracts or and those which involve minimal personal data, organisations can make savings by moving away from the strict no international transfers of personal data position, to one which uses the correct contract clauses and due diligence. This allows risks to be effectively managed and mitigated. This may be especially helpful when using start-up or tech companies.
If an authority’s Standard T&C’s need reviewing, these tweaks and taking a more nuanced approach to data protection could encourage competitive bidding and save tax-payers money.
Ultimately, from a data protection perspective there are important risk factors that authorities should take into account when deciding their data protection position. Such as trust and confidence in public authorities which can persuade them to take a risk adverse position. But, applying GDPR knowledge creatively and analysing each scenario individually should not be ruled out.
Nicola Thoday, Senior Associate, Sharpe Pritchard
Share this:
Podcast
Latest News
Podcast
