Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at firstname.lastname@example.org.
While there has been much debate within EU countries around the preparation for GDPR on the 25th of May, the level of knowledge and preparation for those suppliers of analytics platforms and services outside of the EU remains largely an unknown. Controversially, our assessment is that many customers/suppliers will have ignored it and assumed that it doesn’t apply.
If your spend analysis provider is a large, well-known brand name with a global presence, it is highly likely that they will have opted for the binding corporate rules option. This is a complex and intricate process but is essentially a means of larger data service/analytics providers applying to the EU to establish the provision. The supplier applies a BCR to one of the EU Supervisory bodies (one of the 27 EU members). These are termed Lead Authorities. Once the checks have been completed and the Lead Authority is satisfied with the adequacy of the data privacy safeguards in place, the Lead Authority decision is binding across all Supervisory authorities in other European states. However, as in much European Legislation member states may have additional requirements.
Once Binding Corporate Rules (BCR) status has been achieved:
“Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.”
However, what of smaller providers? No so easy – and it can become rapidly more complex.
The EU has two other provisions for managing data that contains personal information – the rule of adequacy and safeguarding.
Not surprisingly (shock) all 27 EU members meet the rule of adequacy. Adequacy is simply defined around the level of protection at national level.
For other countries who are non-EU, the EU will judge this on the national rule of law; respect for human rights, fundamental freedoms and relevant legislation, both general and sectoral, including public security, Defence; National security and Criminal law. Simple enough …
Now the bad news. There are only some 11 countries globally that are deemed to meet this level of adequacy. These include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. If your spend analysis provider lives in any of these countries – that’s fine. Happy days.
However, what if they don’t? The new Regulation is simple in objectivity. The GDPR change removes a controller’s (or data owner, we will explain controller and processor in the next few posts) previous ability to transfer personal data outside the EU where this is based only on your own assessment of the adequacy of the protection afforded to personal data. More work to do.
This brings us to the last option – safeguarding.
Safeguarding means just that – can the supplier offer sufficient safeguards with data containing personal information?
However – can the problem be eradicated and avoid GDPR regulations?
We will cover these areas in the next post. Our advice as always – find a lawyer who understands the regulations and can guide you either as a customer or supplier. If you are in doubt, get advice.
If you breach the regulations – it could get expensive.