Markets and Securities Services |

Europe

26

where feasible, within 72 hours of awareness

of the breach. Where a security breach is

likely to result in a high risk to the rights and

freedoms of individuals, the data controller

must also notify data subjects of the breach

without undue delay.

Managers should therefore have clear

policies and processes in place to be able

to identify, and react to, security breaches in

a timely manner. Otherwise, as demonstrated

by the recent examples of the Yahoo data

breach and the record GBP400,000 fine

issued by the ICO to TalkTalk, organisations

could find themselves dealing with significant

commercial and reputational risks in addition

to regulatory sanctions.

9

s: sharing

As children, we were taught that “sharing means

caring”. This may certainly be the case when

sharing data intra-group, or with domestic

regulators. But the sharing of personal data with

organisations in jurisdictions outside the EEA

poses very different challenges to the sharing of

personal data intra-country or even intra-EEA.

To transfer personal data outside the EEA,

organisations tend to rely on a European

Commission finding of adequacy in respect of

the recipient jurisdiction, put in place standard

contractual clauses approved by the European

Commission (also known as “Model Clauses”) or

rely on the consent of the individuals whose data

is to be transferred (among other derogations).

Broadly, the GDPR builds on these mechanisms.

However, key differences between the Directive

and the GDPR include that the latter expressly

recognises Binding Corporate Rules — for both

controllers and processors — as mechanisms for

intra-group cross-border transfer, and introduces

a process for allowing transfers on the basis of

certifications, provided that the relevant controller

or processor applies the appropriate safeguards.

One of the biggest issues facing international

organisations under the Directive is the question

of how to reconcile compliance with European

data protection laws with the demands for data

by foreign regulators. The Directive does not

lend itself easily to such disclosures, and there

is often detailed risk analysis underpinning an

organisation’s decision as to whether to comply

with European data protection requirements or

acquiesce to foreign regulatory demands. The

GDPR does not remediate this situation, which

means that the issue of data transfers to foreign

regulators remains a pertinent one for managers

to grapple with for the foreseeable future.

GDPR aside, since 2015 we have seen a gradual

unravelling of two of the key mechanisms for

cross-border transfer. First in the line of fire was

the Safe Harbor regime, which had allowed US

organisations (other than financial services firms,

for example) to self-certify compliance with the

principles in the framework. This had the effect

of deeming those organisations as providing an

adequate level of protection to personal data.

On 6 October 2015, the Court of Justice of the

European Union (CJEU) ruled that Safe Harbor

was invalid,

10

and Safe Harbor was replaced

with the Privacy Shield

11

earlier last year. The

Privacy Shield is to be reviewed within a year

of its implementation, but revelations last year

in relation to Yahoo’s scanning of millions of

emails at the behest of the US government has

made challenges to the adequacy of the Privacy

Shield more likely.

12

Now, as the fallout from the Schrems case

continues, Ireland’s Data Protection Authority

has challenged the legality of Model Clauses