UK Data Protection Toolkit Implementation Guide
The ISO/IEC 27701 standard is probably one of the first international schemes to be published that has a direct relationship with the UK GDPR. An organisation can become certified to this standard, but only if they first become certified to the ISO/IEC 27001 standard for information security management systems, so currently it’s more of an “addon” standard that a standalone one.
2.5.10 International transfers Sending the personal data of UK citizens outside of the country raises questions over how well the data will be protected and the UK GDPR places restrictions on how this may be done. To be helpful, the Secretary of State regularly decides which countries it trusts to look after UK personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it’s a small list which is based on its EU equivalent so you may need to look at the other ways to meet the UK GDPR if you need to do international transfers. Other ways to get approval are: • • • •
A legally binding agreement (public bodies only) Binding corporate rules Using standard clauses in your contract Signing up to an approved code of conduct or certification scheme
If you’re going to use binding corporate rules, be aware that they have to be approved by the Information Commissioner and that can take a while. There are some standard contractual clauses available currently, and new ones may be created and approved by the Secretary of State or the Information Commissioner. There are a few get-outs (or “Derogations” as the UK GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 to see if any apply.
2.5.11 UK representatives If your organisation is outside the UK then, depending on the type of organisation and the processing you perform, you may need to appoint a representative within the UK to act as a focal point for communication with the Information Commissioner’s Office or data subjects. This needs to be done in writing and may be easily achieved through a service offered by third parties established in the UK, for a fee.
www.certikit.com
Page 13 of 29
