If data is transferred across international boundaries, you have to ensure that it is correctly and appropriately protected – from damage, hacking, loss or misdirection and more. The GDPR being an EU Regulation, this was designed to apply outside the European Economic Area – but it is good practice to consider this issue as soon as your data leaves this country. There are some EU restrictions on passing data to certain third countries or international organisations. Please contact ICO for the latest views on this.
Chapter V of the GDPR lays out the terms required to be met in the event you want data to be transferred out of the European Economic Area. It requires that there be
- Adequacy of protection – ie that country/organisation can protect the data
- Transfer undertaken safely – ie that during movement of data, it is protected
- Binding of Corporate Rules – ie the receiving commits to protect data
There are further rules in case data is transferred without such controls and again where data may be transferred without the terms being met if the requisite conditions apply and so on.