Here’s another thing people are getting wrong. Just because your data isn’t stored inside the EEA – wait, you thought it had to be inside the EU? wrong! – doesn’t mean you should panic and repatriate it. What you need to do is check whether wherever you’ve put it has an adequacy decision.
A what?
The EU reviews other countries’ data protection laws and decides whether they’re good enough to offer equivalent protection to the current state of the art under EU law. If they pass muster, the country is given an “adequacy decision” and it’s OK to transfer and process data there, exactly as if the data was inside the EU. (That’s why I talked about the EEA earlier, as EEA membership requires GDPR compliance, so gets an automatic adequacy decision. So Norway, Liechtenstein and Iceland are all OK).
Here’s the current list:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework).
On the other hand, if your data is currently somewhere not on that list then you’d better become intimately familiar with Articles 45-49 of the GDPR. Or move it.
You can check the state of play on the EU website here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Oh – and of course this is one of the key issues for Brexit. Because when we leave, we won’t get an automatic adequacy decision – and even though we’re adopting the GDPR in the UK Data Protection Bill, we have a problem with the Investigatory Powers Act. So elsewhere in the EEA people will be looking at data stored or processed in the UK and wondering if they should move it.
A bigger picture 