Image by: ChakisAtelier, ©2018 Getty Images

With the General Data Protection Regulation (GDPR) now the law of the land, many companies are realizing that they still have work to do to achieve compliance with the European Union’s expansive piece of legislation. One area of particular complexity and concern deals with cross-border data transfers.

The problem arises when companies transfer data outside of the EU, irrespective of whether those transfers occur within a single company or via a third-party processor or network, such as a cloud provider. The GDPR mandates that organizations can only transfer personal data to another jurisdiction that has either been deemed adequate by the European Commission itself or through an adequate and legally effective data-transfer mechanism.

Essentially, it is about making sure that the data transferred to these jurisdictions or companies outside the EU has the same level of protection as it would inside the EU. To achieve this goal, companies will need to apply appropriate and legally enforceable safeguards aligned with GDPR requirements. For example, some internal safeguards might take the form of documented and demonstrable processes and procedures. Some external measures might include contractual clauses requiring third-party vendors to provide documentation and demonstrations of compliance as well.

There are several GDPR-compliant mechanisms by which organizations might be allowed to transfer personal data outside of the EU. The more common include:
  • Adequacy Decision: There are some countries and political entities outside of the EU with data privacy laws that have been determined by the European Commission to provide an “adequate” level of data protection. For GDPR compliance purposes, data transfers into these jurisdictions are treated as if they occurred within the EU. Some of these jurisdictions include Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, Andorra, Argentina, and Canada (on a limited basis).
  • Internal Safeguards: Organizations in the US that have “self-certified” with the US Department of Commerce as compliant with the Privacy Shield Framework are allowed to transfer data outside of the EU. It should be noted that certifications under older Safe Harbor standards are not GDPR-compliant, primarily due to concerns over sharing private data for government surveillance purposes. It is also unclear whether self-certifying via the Privacy Shield Framework will be sufficient for the long term.
  • External Safeguards: Organizations working with third parties or affiliated legal entities outside of Europe may adopt “model clause contracts,” which are a set of contract clauses that the European Commission has endorsed. A common example of such parties are cloud providers that could have infrastructure in multiple jurisdictions around the world. Companies need to make sure that appropriate and legally enforceable safeguards aligned with GDPR requirements are built into these contractual arrangements that they have with those third parties.
  • Consent: Individual EU data subjects may allow companies outside the EU to use their personal data. Traditionally, consent to an international transfer must be informed, freely given, and unambiguous. The GDPR narrows the scope of consent to specified uses and timeframes and requires organizations to provide mechanisms for individuals to review their personal data, revoke their consent, and ensure their data is purged from a system.
  • Compelling Legitimate Interests: The difficulty of complying with the requirements of consent often causes companies to look for alternative grounds for international transfers. The GDPR creates a new option to transfer personal data abroad based on “compelling legitimate interests.” Such interests might include fraud prevention, information security, and intragroup disclosures.
Although a case can still be made under the GDPR for consent and compelling derogations, the new law expressly seeks to limit such exceptions, driving companies to do a better job of respecting individual privacy.

The stakes for non-compliance are high. The GDPR dramatically increases the fines for international transfer violations from €300,000 to €20 million. On the positive side, the new rule seeks to streamline bureaucracy and improve data flow—provided the enhanced privacy provisions are met. In this regard, if managed correctly, transfer compliance under the GDPR can work to an organization’s advantage.

Michael Walter is a Managing Director with global consulting firm Protiviti. He is a leader with the firm’s Security and Privacy practice as well as Protiviti’s GDPR Working Group. For more information on GDPR compliance, visit