For advisers storing or processing client data over the cloud, the general data protection regulation (GDPR), which comes into force on 25 May 2018, may shake things up.

This is because the GDPR, which is an extension of the current Data Protection Act, will affect how data is transferred outside the EU. This can happen when using a service provided over the internet.

If someone transfers data to a third party outside the EU, they need to be satisfied the company will protect client or employee data with the same rigour as within the EU. But working this out is no easy task.

Safety shield

The equivalent data protection framework in the US illustrates this.

The US had previously operated the Safe Harbor framework, which was an agreement under which personal data could be transmitted out of the EU.

On 6 October 2015 the Court of Justice of the European Union ruled this framework did not provide adequate protection. This was in a case called Schrems v Data Protection Commissioner (Ireland).

As of 1 August 2016, the EU-US Privacy Shield replaced the Safe Harbor framework. This is a binding legal instrument under European law that can be used as a legal basis for transferring personal data to the US.

On 12 July 2016 the European Commission issued its formal adequacy decision on the Privacy Shield, confirming it was stronger than Safe Harbor. Bear in mind, however, that subscribing to Privacy Shield is voluntary and based purely on self-assessment.

Assessing adequacy

US firms signed up to Privacy Shield can be found at and it is also possible to check what protection they offer. The list includes global businesses such as Dropbox and Microsoft.

But many others are not included. Some advisers have expressed concern that some of their US software suppliers show no interest in the GDPR or Privacy Shield, putting future use at risk.

Privacy Shield is a useful, mutually agreed substitute for the GDPR. But not every country will have this in place. In those cases, advisers must sift through contractual terms in detail to ensure adequate protection.

But assessing international adequacy is not always straightforward. The Information Commissioner’s Office (ICO) provides some guidelines for this based on the Data Protection Act.

For example, Xero is a company based in New Zealand. It supplies its cloud-based accountancy and payroll software internationally, has no servers in the EU, and has no intention to do so after 25 May 2018. Where data is processed in New Zealand, it benefits from having been recognised as an ‘adequate’ country by the EU for processing personal data on EU citizens as of 19 December 2012.

The other countries that hold this status are Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, the US under Privacy Shield and Uruguay.

Standard clauses

Xero also transfers data to Australia, which does not have adequacy status. But it has confirmed in writing that this is done under EU standard contractual clauses. These are standard clauses for agreements that involve international data transfers that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries.

There are no model contract clauses for international data transfers under the GDPR yet. Currently the ICO provides guidance on these under the Data Protection Act.

Although this is all based on current data protection legislation rather than the GDPR, there is comfort in the fact it will be adequate in the future. But doing this for lots of systems will be arduous, so being EU-based will be an advantage. This will hopefully encourage more companies to seek adequacy status.

Phil Young is managing partner of Zero