If you are an internationally headquartered company with operations in the UK and Europe, then it’s very likely that you will be utilising cross-border data transfers in relation to your employees and customers.

By Kiki Stannard

The General Data Protection Regulation (GDPR) is Europe’s framework for data protection. It enhances how people can access information about them, and places limits on what companies can do with personal data.

Why was GDPR drafted in the first place?

GDPR has two primary aims: to give people more control over how their personal data is used and stored; and to give businesses a clearer legal environment within which to operate.

The previous Data Protection Act was enacted before the internet, making it easy to exploit data using new technology. By strengthening data protection legislation and introducing tougher enforcement measures, the EU aims to improve trust in the digital economy.

How detailed is the legislation?

The full text of GDPR is extremely detailed, containing almost 100 individual articles. It was introduced in May 2018 and replaced the previous 1995 data protection directive.

European countries were able to make small changes to suit their own country’s needs, and within the UK, this flexibility led to the creation of the Data Protection Act (2018), which superseded the previous 1998 Data Protection Act.

It has been seen as a world-leading progressive approach to how people’s personal data should be handled and may have influenced the California Consumer Privacy Act.

What is Personal Data?  

GDPR is designed to instruct how companies can utilise ‘personal data’ and an individual’s right to access the data a company stores about them, as well as a ‘right to be forgotten’.

Broadly personal data is information that allows a living person to be either directly or indirectly identified from a data set. This might be something obvious, such as a person’s name, location, or an online username which is clearly relative to a specific individual, but it may also be something like an IP address or cookie identifier.

Under GDPR there are special categories of sensitive personal data that are given greater protections. Sensitive personal data includes health and medical information, biometric data, race or ethic origin, political opinions, religious beliefs, trade union membership and sexual orientation.

To whom does it apply?

According to the EU, ‘controllers’ and ‘processors’ of data need to follow GDPR rules and demonstrate doing so.

A data controller is the party responsible for how and why data is processed. A processor is the party responsible for the handling of the data.

Using a third party provider for processing your payroll is one example of where your company is the controller and your payroll provider is the processor. Your company tells the payroll company when salary payments should be paid and if anyone leaves or joins. The payroll provider stores and processes your employees’ data.

What about cross-border data transfers?

Even if controllers and processors are based outside of the EU, GDPR still applies if they’re dealing with data belonging to EU residents. As the UK rules currently align with GDPR, the same considerations must be made for the transfer of data outside of the UK.

It is your responsibility as a controller to ensure the processor follows the rules. Meanwhile, processors must keep records of their processing activities.

GDPR introduced very significant fines for non-compliance and breaches, and gives individuals far more say over what companies can do with their data. It is important to follow the relevant requirements.

Is it likely to change?

GDPR is still evolving and it is important to seek expert advice to ensure your cross-border and local data activity is compliant. Following its departure from the EU, the UK government may seek to diverge somewhat from the GDPR rules, although no formal announcements have been made as yet.

For the time being, the UK’s data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU.

The European Commission recently announced new Standard Contractual Clauses (SCCs) in respect of personal data transfers to countries outside the European Economic Area (EEA) requiring additional compliance requirements. However on 28 June 2021, the Commission announced that it had adopted a GDPR adequacy decision for the UK, meaning that personal data can flow freely from the EEA to the UK without the need for SCCs (or other legitimising mechanisms).

How ZEDRA can help

ZEDRA’s team of experts throughout the US, EU, UK and worldwide can advise you on the local and international implications of data transfers and GDPR compliance. Contact Kiki Stannard or Brieanne Runsten for more information on how we can help you.

For more information, please contact