Data sharing and overseas transfers

We have extensive experience advising organisations, from start-ups to global corporations, on their overseas transfers and data sharing strategies for the distribution of personal data within group entities and externally with a third party. As part of this service, we will meet with your teams to assess your data sharing practice and map out your compliance risks. We will then identify how these can be mitigated and assist you with implementing compliant solutions. We partner with you to ensure that any strategies put in place are effective and enable the business to continue to operate without too much red tape.

We have a suite of third-party data protection due diligence documentation to ensure you comply with data protection legislation when sharing personal data within your group entity or externally. We provide access to these documents and help embed and operationalise them within your organisation, ensuring that the right questions are asked in the early stage of data sharing to prevent delays further down the line.

Under data protection legislation, a vast number of requirements must be met to ensure that the sharing of any personal data is compliant. We review, draft, and assist with negotiating data sharing agreements to ensure these compliance requirements are met.

We can help you review your current agreements and perform a gap analysis to identify areas that need to be remediated. We can carry out bespoke reviews of individual data sharing agreements or set up and run remediation projects to review and update all your data sharing agreements in one go.

When transferring personal data to countries not recognised by the UK/EU as having adequate data protection laws, you are required to carry out a transfer impact assessment to ensure that the recipient of the data will be able to comply with the adequacy mechanism in place. For example, can they meet the relevant data protection requirements or comply with the text of the Standard Contractual Clauses?

We can help you prepare transfer impact assessments and associated data protection impact assessments. These will appraise the risk of any overseas transfers, the current controls in place and the operational measures required to ensure that any data sharing outside of the UK/EU remains compliant.

Binding corporate rules provide a mechanism to enable overseas data transfers within a corporate group without requiring additional documentation for each transfer.

We work with you to identify whether binding corporate rules are the right solution for your organisation. If so, we can help you choose the most appropriate lead supervisory authority for your binding corporate rules based on your establishment and assist with preparing the correct documentation for your group entities.

In doing so, we will review current data sharing activity across your group, identify solutions for you to streamline any processes, and assist with updating policies and procedures. We will also liaise with the lead supervisory authorities in the relevant member states to enable your binding corporate rules to be approved under data protection legislation.

We all know compliance can sometimes be seen as a tick-box exercise; however, we have practical hands-on experience working in-house with organisations to bring policies and procedures to life.

We have a suite of data sharing policies, procedures, and template documents which can be tailored to address and document your data sharing arrangements and assist with demonstrating that you are sharing personal data in a compliant way. Not only will the policy and procedures give you peace of mind, but you can also use them to demonstrate compliance to any third parties with whom you share data.