Press release
SENDING PERSONAL IDENTIFIABLE DATA TO THE US PUTS UK SUBJECTS AT RISK
Overseas transfers of personal identifiable data to US based tech companies could be putting millions of UK subjects at risk due a lack of knowledge concerning lawful data transmission, according to Boardroom Matters.In the UK and EU it is a civil offence to send information about individuals. This could just include, for example, their name, email address, phone number or even an IP address to countries like the US, India and Australia, without putting in place in the UK an International Data Transfer Agreement (IDTA) or for the EU, Standard Contractual Clauses (SCCs).
Even for companies that are joint entities such as a UK subsidiary of a US company wanting to share, say, HR records, binding corporate rules (BCRs) must be documented and approved by the appropriate data protection authority before any transfers can be made.
Although these rules have been strictly policed since GDPR became law in 2018, with substantial fines of up to £18 million or 4% of worldwide turnover, whichever is the greatest, many smaller companies are using overseas tech companies for data processing without a data processing agreement and an IDTA.
Typically, these tech companies are used by many UK firms to send out emails, for data storage, managing cloud based HR records and CMS for marketing purposes. However, the onus is on the UK data controller i.e. the company commissioning the overseas work, to put in place appropriate data protection safeguards before sending data outside the UK or EU.
In the US - apart from California - there is no legislation to uphold data subjects' rights and more shockingly in 2018 the US Government enacted The CLOUD Act. This enables federal law enforcement to force all US technology companies to divulge the contents of any server-stored data. Although Australia has the Office of the Australian Information Commissioner, its current legislation has been deemed by the EU as not meeting adequacy and in India there is no national regulatory authority for protecting personal data, which also doesn't meet adequacy.
Sam Crich, a digital lawyer with Berwins Solicitors says: "The consequences of sending data overseas without adequate protection would be a breach of data protection legislation in the UK and EU (and a few other places).
"There are certain countries like Japan that have been assessed by the relevant UK and EU bodies where personal data is deemed to be protected to the same degree as in the UK/EU. But unless you've sent data to a country on that list (countries not on that list are often referred to as a "third country"), this would likely be deemed to be a breach of the law whether that country actually provides adequate protection or not - unless you also have a risk assessment and a valid transfer mechanism in place."
Philip Allott, a data protection specialist with Boardroom Matters, believes that the Government needs to provide greater clarity over overseas data transfers, especially to smaller companies. He explained: "Some of the bigger US tech companies have built into their T&Cs clauses like data transfer agreements and Standard Contractual Clauses and many claim to be GDPR compliant - but in reality, because of the US CLOUD Act, they are never 100% compliant. As an example, in a recent ruling by The European Court of Justice over Facebook, the Court reiterated that data exporters are primarily responsible for any data transfers and that, because there is no US adequacy with EU privacy standards, even the use of SCCs could still put personal data belonging to EU subjects at risk.
"I cannot reiterate strongly enough that the responsibility for meeting adequacy in order to transfer data overseas is down to the UK or EU based sender, not the overseas supplier."
Companies concerned should seek independent legal guidance from a data protection specialist. During October Boardroom Matters is offering up to 30 minutes' free advice and also offers a range of services including UK GDPR audits, bespoke Data Processing Agreements and support to determine lawful methods of data processing.
For further information visit http://www.boardroommatters.co.uk
Allott and Associates
Claro Chambers
42 High Street
Knaresborough
HG5 0EQ
For media enquiries please contact:
Emily Evans
Account Manager
Allott and Associates Ltd
Telephone: +44 (0)1423 867264
Email: emily@allottandassociates.co.uk
www.allottandassociates.co.uk
Twitter @AllottsPR
Or
For sales enquiries please contact:
Philip Allott
Legal Services Director
Boardroom Matters Ltd
71 - 75 Shelton Street, London, WC2H 9JQ
Telephone 0203 733 6443
www.boardroommatters.co.uk
GDPR (which stands for the General Data Protection Regulation) came into force in May 2018 and was renamed in January 2021 UK GDPR. UK GDPR affects all businesses, including the public sector, and charities.
Any organisation handling personal identifiable data such as customer records, staff details, payroll, marketing databases and even CCTV cameras must ensure that these processes comply with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
UK GDPR has had a profound impact on different organisations and if you have any concerns about your current activities or are planning any changes, you should strongly consider seeking external professional guidance from Boardroom Matters. The consultancy works with a cross-section of clients including businesses, charities and trade associations to identify their new legal obligations through onsite audits, training courses, documentation and providing guidance where in-house policies require changing.
This release was published on openPR.
Permanent link to this press release:
Copy
Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.
You can edit or delete your press release SENDING PERSONAL IDENTIFIABLE DATA TO THE US PUTS UK SUBJECTS AT RISK here
News-ID: 2814944 • Views: …
More Releases from Allott and Associates

FOREVER SEWING CUTTING THE CLOTH AT ONYX RETAIL PARK
A successful online designer babywear business chose a former South Yorkshire colliery site, turned into a thriving retail park by owners Onward Holdings Ltd, to showcase its distinctive UK manufactured products to a growing client base.
Deciding to have a retail park presence so that customers could come in to touch and feel the quality of the fabrics, Forever Sewing moved into the unit on the Onyx Retail Park in August…

PLANNING IS KEY FOR PUTTING ON A GOOD SHOW
There is a plethora of exhibitions during the year placing a strain on staff time, but businesses that appoint an outside agency for planning their show requirements can get a head start on making as many people as possible aware of their products, brands or services.
Companies that invest a lot of time and money into exhibitions need to get as much value from them as possible in terms of sales…
More Releases for GDPR
GDPR Certification in Los Angeles
Ensure data privacy and regulatory compliance with **GDPR Certification in Los Angeles** through B2B Cert. Our expert team helps businesses implement robust data protection practices aligned with EU standards, safeguarding customer information and building trust. Achieve global credibility and avoid penalties with our end-to-end GDPR compliance services.
Website: https://www.b2bcert.com/gdpr-certification-in-los-angeles/
#8, 3rd floor, 24th Main Road, Ayodya Nagar,5th Phase, Bengaluru, Karnataka
B2BCERT is a Solutions & Service organization, specialized in management consulting, Trainings,…
Complete Guide to GDPR Compliance
The impact of GDPR on business is related to how companies process, store, and secure data of EU citizens. GDPR regulation is expected to impact different departments of companies such as product development, human resource, and sales & marketing. Therefore, companies are streamlining their business operations in compliance to GDPR reforms. GDPR focuses on risk management as well and requires a risk assessment, and data protection impact assessment (DPIA) when…
GDPR Consulting Service Market is set to Fly High Growth in Years to Come | A2se …
The Latest research study released by HTF MI "Worldwide GDPR Consulting Service Market with 101+ pages of analysis on business Strategy taken up by key and emerging industry players and delivers know how of the current market development, landscape, technologies, drivers, opportunities, market viewpoint and status (2023-2030). The market Study is segmented by key a region that is accelerating the marketization. This section also provides the scope of different segments…
Open Access BPO Achieves GDPR Compliance
MAKATI CITY, Philippines, September 2, 2021— Multilingual outsourcing firm, Open Access BPO, announced that it has achieved compliance with the General Data Protection Regulation (GDPR) legislated by the European Union (EU).
The GDPR is the EU's data privacy and protection law that governs how businesses handle EU citizens' personal data. This applies to all companies that collect and process personally identifiable information from EU citizens.
Open Access BPO achieved compliance following a…
GDPR Consulting Service Market 2020 Global Analysis By Key Players - Kerubiel, S …
WiseGuyReports.Com Publish a New Market Research Report On -" GDPR Consulting Service Market 2020 Global Analysis By Key Players - Kerubiel, Semago, TNP Consultants, A2secure, datenschutzexperte.de, GDPR Masters, Northdoor".
GDPR Consulting Service Market 2020
Description: -
This report focuses on the global GDPR Consulting Service status, future forecast, growth opportunity, key market and key players. The study objectives are to present the GDPR Consulting Service development in North America, Europe, China, Japan, Southeast…
Europe GDPR Assessment Tools Market: Expeditious Requirement of GDPR Assessment …
Growing imperativeness of information and data protection in light of increased concerns regarding cyber-crimes and leak of personal data has supported the initiation of the EU General Data Protection Regulation (GDPR) assessment tools. Superseding the Data Protection Directive 95/46/EC, GDPR facilitates harmonizing of data privacy laws across European countries in order to empower and streamline processes in organizations that are involved with personal information.
Click for Sample Copy of the Report…