What US companies need to know about international data transfers under the EU’s GDPR

Protection concept: Shield on digital backgroundStarting from May 25, 2018, US companies collecting and handling data on European residents will need to comply with the EU General Data Protection Regulation (GDPR), which was approved earlier this year. Previously, under the Data Protection Directive, international data transfers were prohibited to organizations in countries outside the European Economic Area (EEA) unless the country to which the data transfer was being made ensured an “adequate level of protection”.

Unlike the Directive, which had exceptions around international data transfers for certain countries, the GDPR expands the territorial scope of data protection requirements for international data transfers. As a result, countries – including the US – that have not been recognized by the European Commission as providing adequate protection will be able to process European residents’ data by complying with the GDPR.

Conditions to ensure adequate data protection

Under the GDPR (Article 44), organizations need to satisfy certain conditions in order to allow data to be transferred outside the European Union. These conditions mirror the Directive’s principles of ensuring adequate data protection:

  • Data controllers must secure informed consent from the data subject for the transfer and the risks associated with the transfers.
  • Transfers can be made when they are necessary for the performance or conclusion of a contract.
  • Transfers can be made when it is necessary on the grounds of public interest, or for the establishment, exercise, or defense of legal claims.
  • Transfers are permitted if they are necessary to protect the vital interests of the data subject or for the pursuit of the legitimate interests of the data controller/processer.

The GDPR and the EU-US Privacy Shield

The EU GDPR puts even more pressure on US organizations dealing with European residents’ data, because the EU-US Privacy Shield was recently rejected by data regulators. The EU-US Privacy shield agreement was intended to allow companies to transfer EU residents’ data for processing within the United States. The agreement was invalidated by the European Data Protection Supervisor, who said that it was ”not robust enough”. As a result, the Privacy Shield is currently under review. Until the Privacy Shield is approved or a new agreement is reached, organizations handling and collecting data on EU residents will need to comply with the GDPR.

Organizations looking to satisfy the GDPR’s conditions for international data transfers and to understand the implementation path to ensure compliance are encouraged to attend IT Governance’s Certified EU General Data Protection Regulation Foundation and Practitioner Online training courses. These courses are interactive Live Online sessions that provide a comprehensive introduction to the EU GDPR and a practical understanding of the implications, as well as a guide to planning, implementing, and maintaining the legal requirements for organizations of any size. Upon passing the exams included in the course, delegates are awarded the ISO 17024-accredited EU GDPR Foundation (EU GDPR F) and EU GDPR Practitioner (EU GDPR P) qualifications by IBITGQ. The course also enables delegates to fulfil the role of data protection officer (DPO) under the EU GDPR.

Find out more about the Certified EU General Data Protection Regulation Foundation and Practitioner Online training course here >>