I own an IT Consultancy. We have been asked to migrate some data that we think is in XYZ to a company in XYZ. How would it work regarding the GDPR? Normally before GDPR, we would have asked them to export the data in a machine-readable format, if it was a different database, upload it to a storage account and then we would read it using whatever data up load upload tools we had on back into the database. Now with GDPR, I'm not so sure. Obviously it would be encrypted upfront, and we would agree a delivery method for the password. How would it work in this instance with GDPR in place?
You should first assess if the Canadian company applies GDPR to its data processing (i.e. the company processes data of EU individuals). In this case, no further measure shall be taken because GDPR allows the transfer of data inside the GDPR space.If the company does not apply GDPR, then it is required a written data transfer agreement between the two companies.
The data transfer agreement should reflect the standard contractual clauses as adopted by the EU Commission. These clauses are required to transfer data outside the EU providing sufficient safeguards but adopting it to import data from the Canadian company can help the Scottish company to demonstrate its accountability to GDPR principles.