When GDPR came in, I read what it entailed to ensure my business practices complied. I have never sent my data outside of the UK, my business only deals with UK clients, so this was one aspect I did not research or worry about. However, a client of mine has asked me to inform other students of the potential issues with sending data outside of the EU. She was working on her dissertation and this involved approximately 20 different interviews. I transcribed a large proportion of these interviews. The remaining interviews were done in her language with respondents also speaking that language. I was not able to transcribe these interviews for her (I'm good but I'm not that good! ;-)So she sent the interviews to a country in Asia, as she could not find anybody to transcribe these interviews for her in England in her native language. Unfortunately she then got in trouble with the ethics committee of her university as she did not anonymise the data prior to sending them outside of the EU.
Under GDPR data cannot be sent outside of the EU unless it is totally anonymous. If you must send your data outside of the EU there are steps you must take or you are breaching GDPR. GDPR applies to anybody handling data, individuals and companies. It is your responsibility to ensure that breaches do not take place. If you must send data outside of the EU it is my understanding that the following precautions must be taken- anonymise the data. So if the sound file you are sending is the name of the person interviewed, change that file name to Interview X, Interview 1, etcetera, never have the file name match with the name of any person actually interviewed. If the interview contains information within it that can identify that person (their name, where they work, where they live etcetera) edit this out of the recording prior to sending it. If the person is in the public eye and could therefore be identified by their voice or whatever they are talking about in interview, you MUST get the respondent to agree to allow you to send their data outside of the EU (I would get this in writing) This applies only to data you wish to send outside of the EU, and sometimes you may not have a choice but to send your data outside of the EU as with the case I cited, but if there is not a specific reason to send your data outside of the EU then it is more sensible is to keep your data within the EU. It really is a no-brainer and will save you a lot of stress.
Other sensible precautions to take- how are you sending your files? Is it through a free file sharer? You get what you pay for, be careful with your data. Ensure that the data you are sending is encrypted. I pay for a service which encrypts your sound data and automatically deletes it after 10 ten days. Your university may also have ways to safely send data. Emailing sound files (especially from free email accounts) is not wise nor is it recommended.
Do not send your data to just some random person that does not even have a website just to save a bit of money. The data you have worked so hard to get is important and is confidential. It is simply unwise to send your data to somebody that you do not know that does not have an internet presence.
I am not an expert on GDPR and sending data outside of Europe. I have gleaned the following by Googling 'sending data outside of the EU' Please Google this and do your own research, I provide the above as a guide only at the request of a previous client. This information obviously applies not only to students but to anybody that deals with recorded data. If any readers have updates on any of the information contained above or there are any inaccuracies please email me and I will update this blog entry.
Best wishes and happy researching!