It's transfer season not just in football but also the world of data protection. Both are proving rather messy, stressful and potentially costly.
We already have the EU Standard Contractual Clauses to provide an adequate safeguard for restricted transfers to third countries and companies have a deadline of 27 September this year to start using them for new contracts. But those do not operate for transfers under the UK GDPR leaving the vast majority of companies who deal with a mix of EU and UK data in a bit of a state of limbo.
We finally had an announcement from the ICO on Tuesday. Wouldn't it have been lovely if that had said something like: ''Hey, the EU SCC look pretty much ok to us so if you use those as well for UK and just make that clear in the document that you are doing that and that UK data subjects also have rights then you are good to crack on''? Alas not. These are some of the issues this new announcement raises:
- We now know final versions of the UK SCC are several months minimum away and definitely won't be finalised until after the EU deadline. So it appears a UK company with UK and EU data would need to start entering into the new EU SCC for the new data but still use the old SCC for UK data. Madness. Have you seen how long they are? Companies will want to consider a pragmatic risk based approach on this.
- It won't be possible to roll out templates covering EU and UK data so there will unfortunately be the need for even more changes of paperwork later on. The ICO will provide some grace periods but this all seems a bit of unnecessary focus for resource.
- The UK proposals are VERY different to the EU templates. Different structure, different terms, different practical issues for completing them. Fun times.
- It is still unclear when a restricted transfer happens and therefore when an impact assessment and transfer agreement is needed. This is basic stuff that should be clear for companies. We don't need an academic debate on this but clarity from those who enforce them. The EU versions (with their references to the fact that they can only be used for transfers to entities which are not already subject to GDPR) have raised a lot of questions. Full marks to the ICO for actually putting such questions into a consultation to determine but it does rather reveal how silly this is all is that we have EU guidance and contract deadlines just over a month away that still raise such fundamental questions.
- It was nice to see a (only 4 pages this one) addendum to EU SCC proposed by the ICO. However look at what this actually does. Its purpose is to turn an EU SCC into a UK SCC rather than make the EU SCC work for both. Again this feels like a business-friendly solution opportunity has been missed at the moment.
Lots to ruminate over and lots to put into the consultation response.