The UK GDPR is replacing the existing EU GDPR on the 1st January 2021 and will sit alongside the DPA 2018. All the main principles, obligations and rights are still applicable and remain in place and the existing EU GDPR will continue to apply, unchanged, in the countries of the EEA, however the way we need to interact with our customers in the EEA will change.
Transfers of data from the UK to the EEA will not be restricted, transfers of data from the EEA to the UK will need additional safeguards in place as the UK will become a ‘Third Country’ and no longer have adequacy under the EU GDPR.
What does this mean for PSI and it’s Customers?
PSI is committed to the protection of your data and the legal data transfer under GDPR to both EEA and non EEA countries. We have implemented the Standard Contractual Clauses, based on the European Commission approved SCC and updated our Data Processing Agreement to ensure that all data flows in, and out of, the UK have appropriate safeguards.
We have also updated our internal procedures with an organisation wide Intra Group Data Sharing Agreement that has been signed and agreed by all business units that incorporates the same SCC’s as we have written into our DPA, ensuring that all internal transfers of data also have adequate safeguards in place.
All of our security measures are to the standard of, and aligned with, ISO 27001, including industry standard encryption measures for data both in transit and at rest, and strict Access Control procedures to limit who, how and what is being processed, minimising any unnecessary data transfers.
You may find the Information Note recently issued by the European Data Protection Board (EDPB) on data transfers under GDPR in the absence of an agreement useful, please click here. Also the Information Commissioners Office has guidance here.
If you have any questions or complaints in relation to this matter, you may contact PSI’s Data Protection Officer here.