UK Law and Practice Contributed by: Richard Brown, Louisa Chambers, Adam Wyman and Michael Ross, Travers Smith LLP
The most used safeguarding mechanism is to incor - porate a set of standard contractual clauses (SCCs) that have been pre-approved by the European Com - mission (in the case of the EU GDPR) or the UK Parlia - ment (in the case of the UK GDPR). These require the supplier to put measures in place to make sure that personal data is kept safe. The use of SCCs must be supported by a transfer risk assessment. Broadly, this requires the parties to carry out due diligence and a formal risk assessment to ensure that the laws and practices of the supplier’s country provide an equiva - lent standard of data protection to those in the UK or EEA (as applicable), particularly when it comes to access by public and surveillance authorities to per - sonal data. Account must be taken of the nature of the data being transferred and how it will be processed. Due diligence must also be conducted into the meas - ures the data importer (in this case, the supplier or outsourcing provider) will take to keep the data safe and secure. In some cases, the transfer risk assess - ment might lead the parties to conclude that the data transfer element of the outsourcing will need to be suspended and the data kept onshore. It is therefore worth considering this issue early on in the transac - tion. The International Data Transfer Agreement (IDTA) and the Addendum came into force in March 2022 in relation to data transfers to third countries subject to the UK GDPR. In June 2021, the EU adopted its new SCCs. The UK Addendum is a “bolt-on” to the EU SCCs. As noted in 1.1 IT Outsourcing , the UK extension to the Data Privacy Framework enables personal data to be transferred from the UK to US organisations that have self-certified to the DPF without the need for reliance on SCCs or for a transfer risk assessment to be completed. In some cases, alternative mechanisms or specific derogations may be available for transferring the data – for example, suppliers may have obtained approval from the ICO for binding corporate rules that allow them to export data to other group companies based outside the UK, without the need for specific con - tractual arrangements governing the transfer. Alter - natively, it may be possible to obtain express consent
to the transfer from the data subjects whose data is being transferred. Issues during negotiations The Data Protection Laws also potentially have an impact when an outsourcing contract is being nego - tiated, as personal data will be transferred in respect of employees who are transferring over from the cus - tomer to the supplier (see 5.1 Employee Transfers ). In these circumstances, care needs to be taken to ensure that personal data is shared and transferred in a lawful manner, with a clear legal basis under the Data Protection Laws for such a transfer. Any personal data transferred outside the UK will again need to be transferred using one of the above-mentioned transfer gateways or derogations. Critical infrastructure As outlined in 2.2 Industry-Specific Restrictions , organisations that supply critical national infrastruc - ture and meet certain size thresholds are subject to the NIS Regulations. These regulations may have an impact on the outsourcing of activities relevant to the provision of such infrastructure. By way of example, where handling of data is outsourced, the customer will be required to ensure that the supplier takes appropriate measures to protect against cyber- attacks – even if it is not “personal data”. Penalties for breach of such laws The ICO can impose civil fines of up to GBP17.5 mil - lion – or 4% of the breaching undertaking’s annual worldwide turnover in the preceding year – for the most serious breaches of the Data Protection Laws. In the case of breach, the ICO can also issue an enforce - ment notice against a business requiring it to take (or refrain from taking) specified steps in order to comply with the Data Protection Laws. The Data Protection Laws contain a number of crimi - nal offences – notably, offences relating to the unlaw - ful obtaining of personal data and selling or offering to sell such data. It should be noted that individuals can lodge com - plaints with the ICO in respect of alleged breaches of the Data Protection Laws and bring an action for dam - ages against the relevant business. Fines may also be
71 CHAMBERS.COM
Powered by FlippingBook