International Transfers of employee data - the clock starts ticking for UK data transfer remediation

Rhiannon Webster, Shehana Cameron-Perera and Liz Parkin presented International transfers of employee data: the clock starts ticking for UK data transfer remediation on 31 March 2022.

During the webinar our speakers looked at data transfers in the employment life cycle; the position of international transfers post Schrems II; and discussed the practicalities of approaching your data transfer projects. 

Key takeaways

 

• The use of derogations, in particular consent, are highly unlikely to be applicable in an employment context and for any transfers of employee data.
• Nearly all organisations will be making data transfers of employee data; whether that is at an intra-group level (for example the sharing of employee data with group legal/HR or management of the parent company outside the UK via a secure online platform hosted in the UK for investigation purposes); or externally to third parties (such as the transfer of employee data to a third party for payroll/benefit provisions such as Workday hosted in the US).
• Data mapping can always be challenging and whilst this responsibility is unlikely to fall directly to HR colleagues, they will need to understand/feed in to any processes being carried out by compliance/legal. This process will largely mirror the task that HR colleagues may have been previously involved in when originally mapping employee data when GDPR came into force; this should mean that they can hopefully leverage existing mapping information.
• Whilst the new Trans-Atlantic Privacy Framework sounds promising, we caution against waiting for this to come into force and relying on it as your data transfer mechanism for transfers of personal data from the EU to the UK. Instead we advise proceeding with your remediation projects because the clock is ticking. For EU transfers, you are required to repaper existing contracts and incorporate new EU SCCs by 27 December 2022 and for UK transfers, existing contracts should be repapered to incorporate the UK IDTA/Addendum by 21 March 2024.
• When developing your strategy for categorisation and prioritisation of transfers, refer to the ICO's guidance on transfer risk assessments (which is still in draft form). Key point flagged within the guidance is that where the importer and exporter are within the same group of companies, the risk of harm to individuals is reduced; therefore we advise prioritising external transfers.

A recording of the session and the webinar slides are available below. 

Ashurst are here to support you on all stages of your data transfer compliance/remediation projects and we have included our offering placemat which should provide further details.

Please do reach out to the speakers or your normal Ashurst contact if you require any further information on the topics discussed.