How to prepare for data protection laws when expanding internationally: five of 10 top tips
Published on 7th Sep 2022
US businesses selling or setting up in the UK or EU need to address data protection – here are our first five tips
Expanding your company or a product line overseas can be an exciting time. There are lots of new customers and new markets to think about. It’s also a great time to take stock and think about the opportunities and challenges ahead – for example, how your product design and marketing procedures will need to adapt for these new markets. If you are expanding into the United Kingdom or European Union, data protection should be a high priority.
Failure to comply with data protection laws in the EU and UK – the General Data Protection Regulation (GDPR) and the UK GDPR – can come with large fines. This can be as high as 4% of worldwide turnover or €20 million for the GDPR or 4% of worldwide turnover or £17.5 million for the UK GDPR. However, data protection compliance is not all about avoiding large fines or other forms of regulator action. Having good data protection practices can be a valuable feature for customers and any potential company investors in the future.
Data protection laws in the UK and the EU are incredibly wide in scope. Businesses operating in the UK and EU are expected to think about privacy when developing products and consider how they handle customer data. Doing this earlier can also make compliance with these laws a lot easier. What do businesses need to know about data protection before expanding?
Identify what is personal data
In the US, there is currently no data law that so widely captures so much information. However, under the GDPR and UK GDPR, personal data means any information that relates to an identified or identifiable individual (for example, someone may become identifiable when combining to two types of information).
There is no complete list of types of personal data but this can include names, email addresses, phone numbers, while also including more obscure types such as location data or IP addresses. It's important to understand how wide this is so that your organization can identify what personal data you hold (which will be relevant when considering how to transfer it and to keep records).
Prepare your privacy notices
In the UK and EU, you are required to have and maintain certain documents and be transparent about how you manage personal data.
As a minimum, most businesses will need a website privacy notice, which tells customers how the company manages personal data, and an employee privacy notice, which tells any UK or EU employees how their personal data is held and used. There are requirements in the GDPR and UK GDPR about what information needs to be included in a privacy notice, so it's important to ensure that any privacy notice covers these requirements.
Get to grips with lawful basis
The GDPR and UK GDPR create a framework that only allows organizations to process – for example, to store, transfer, view, and use – personal data if they have a lawful basis to do so; this is the legal reason or legal justification.
Under the GDPR and UK GDPR, there are six types of lawful basis to process personal data (under Article 6 of the GDPR), which include: having the persons consent; it is required to perform or enter into a contract; an organization has a legal obligation to use the information (for example, tax filings); it is for someone's vital interests (such as lifesavings or they are in grave danger); it is a public task (and it will be used by public bodies to perform official functions); or it is in your business's or another's legitimate interest, which requires a documented assessment of whether using the personal data is necessary, proportionate and overrides individuals interests.
For more sensitive or "special category" personal data, an additional lawful basis is required (listed in Article 9 of the GDPR). Special category data includes information about someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (if it's used to identify them), health, sex life, and sexual orientation.
Consider if you need an international data transfer agreement?
When you are expanding abroad, you are likely to want to send information to your headquarters for your new UK or EU company. If you are transferring personal data outside the EU or UK, you will require additional safeguards. It might be that the UK or EU has recognized another country as "adequate". This typically means you can share the personal data with that country as if it was in the UK or EU. Currently, neither the UK or EU has made a decision about any method of transfer to the US.
If there isn’t some type of adequacy decision covering the transfer, then you need another method in place: presently, a popular way to do this is through standard contractual clauses. These clauses can only be amended in a very limited way and they allocate responsibilities to each side to look after the personal data.
These extra safeguards are required even if you are transferring within the same group of companies if the transfer requires taking personal data outside the UK or EU.
Check direct marketing rules
Expanding into new markets is great and your business will likely want to reach out to customers to tell them about this. However, there are stringent rules around sending marketing messages in the UK and EU.
In general, you cannot send someone a marketing email (where there email address identifies them) unless they have consented to receiving these types of messages. This includes professional and private email addresses. There is sometimes another legal way to send marketing messages but the way to do this varies between each EU country.
To combat this, most companies need a solution that allows interested and potential customers to 'opt in' to hear more about their products.
Osborne Clarke Comment
If you are expanding your business from the US, this will mean getting to grips with a different kind of data protection regulatory regime, which can take considerable time and cost up front. For this reason, we recommend contacting an expert as soon as you identify your organization's requirements, since it is often easier to put data protection measures in place earlier in the process.
Part two of the series will explore five more areas of data protection law that your organization will need to address when expanding into the EU or UK markets.