We have found beliefs about managing data transfers can be broad and confusing since the EU General Data Protection Regulation (GDPR) was put in force in May 2018. Some believe no data transfers outside of the EU are allowed. Others believe if you have a legitimate business reason to transfer data, and an agreement with the customer, it is simply business as usual. The real answer often lives in between.
We will walk through the GDPR requirements for processing personal data to help you envision how the GDPR data transfer rules may apply to your organization and your customers.
What data may be considered personal?
The GDPR applies to “in-scope” personal data. The GDPR defines personal data differently than some other regulations and standards. As you are likely aware by now, personal data in the GDPR definition includes any information that can directly identify a person (called a data subject), such as name, address, age, gender, etc. However, the GDPR expands personal data to include otherwise innocuous information, when a person can be indirectly identified by a combination of one or more of those factors.
What does this mean to your organization? Do you collect an identification number and a zip code on an individual? Do you collect a mobile device ID and a group affiliation, such as membership in a specific industry association or social group? Do you track clicks by users of your website and capture the IP address of the user? Do you track cookie identifiers? Have you asked how the user found your website? In these cases, with a combination of this information, the potential exists that you can identify a person by combining factors. You need to assess the data you track holistically to determine whether, when gathered together, it rises to the standards of personal data under GPDR.