Expert Advice Community

Guest

Sending personnel data from UK or Europe for analysis.

  Quote
Guest
Guest user Created:   Dec 07, 2020 Last commented:   Dec 08, 2020

Sending personnel data from UK or Europe for analysis.

Hello.
I am hoping to offer a service to UK /European organisations to help them identify areas of bias and inequalities particularly in the areas of gender pay and advancement and pay gaps relating to ethnicity and disability.

I am speaking to a US company who could process the data for the results I want with their Artificial Intelligence.

What would be the steps necessary to ensure that both the transmission and processing would be compliant in every regard?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Dec 08, 2020

The data you are going to process belongs to the special category of personal data under Article 9 GDPR (some legislation call them sensitive data) because this kind of data contains information which may end up in discrimination and in threats to the freedom and rights of individuals. Therefore, the EU GDPR requires controllers and processors to pay particular attention when processing this kind of data. 

Before starting processing, you will need a Data Protection Impact Assessment as Article 35 GDPR requires in order to verify the risk for freedom and rights of data subjects arising from your data process and assess the risks with appropriate safeguards. This will also help you to comply with privacy by design and privacy by default principles.

From the information you wrote, your data processing will be likely based on consent. Therefore, you will need to pay attention to the information provided to data subjects in your privacy notice and the request for consent.The register of processing activities will also be required.You will need to establish a procedure to deal with Data Subjects Access Request (DSAR) because data subjects may always withdraw the consent and you need to be able to verify the request and proceed with the exercise of DSAR and also comply with the right of erasure if requested so.

Be sure to inform data subjects that their data will be processed also in the US. 

Then, transferring data to a processor in the US may request safeguards: adoption of a data protection agreement with the approved standard contractual clauses is necessary because the EU Court of Justice invalidated the US Privacy Shield with the so-called Shrems II decision. You may also adopt secure transfer protocols and encryption (if you can anonymize data it would be a plus while pseudonymization is highly recommended).

Here you can find more information:

To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 07, 2020

Dec 08, 2020

Suggested Topics