Before providing a service, or employing a new staff member, Cifas members can check details against our databases for matches with individuals whose behaviour appears to be consistent with that of known fraudulent conduct. Some Cifas members use staff based outside of the UK and of the European Economic Area (the EEA, which includes the EU) to carry out those checks. This means that if a match is found, Cifas will be making what data protection law describes as a transfer of personal data to a “third country”.
Transfers of personal data from the UK to a third country are allowed where that country is considered “adequate” in data protection terms by the European Commission and the UK government. The Information Commissioner’s Office publishes a list at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#adequacy-decisions, and this includes the Privacy Shield framework that covers the USA.
Transfers are also allowed where “appropriate safeguards” have been put in place between Cifas and the member based outside of the UK, and in practice this means that Cifas and the member will sign a contract called “a set of controller to controller standard contractual clauses”. The ICO has published the wording of the standard contract at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#dp-clauses.