Most businesses in the UK process personal data even if just about their employees. Many need to be registered under the Data Protection Act (DPA) 1998 as breach of the Act is a criminal offence.

Rachel West, an associate of Mercers, says:-
“The Information Commissioner is in charge of the data protection legislation and has issued a number of useful guidance notes on the legislation. Most recently guidance has been updated on transferring personal data abroad. Not all our local clients know that there are restrictions on taking personal data outside the 25 EU countries such as to have it processed in India. It is possible to achieve this but strict rules on which we can advise you must be followed.

In addition new guidance on outsourcing has been issued. “The DPA requires you to take appropriate technical and organisational measures to protect the personal information you process whether you process it yourself or whether someone else does it for you," said an Information Commissioner’s Office (ICO) statement. Outsourcing data processing to foreign suppliers does not absolve firms from protecting the data once it passes to a third party. In fact new guidance issued by the ICO seems to tighten up rules concerning a company's responsibilities to find an outsourcer who will safeguard the data. "The new guidance clarifies the old guidance which stated that in the case of a data controller to data processor transfer the 'data controller might reasonably conclude that adequacy exists without carrying out a detailed adequacy test'.”

If you need any advice on the transfer of data abroad, call us on 01491 572138.