In the wake of the UK’s departure from the EU, businesses have been left pondering the impact that Brexit will have on data protection regulations and what steps should be followed in order to comply with any new UK GDPR laws and legislation.
Almost three years on since the EU General Data Protection Regulation (GDPR) was introduced, this privacy law remains one of the most far-reaching data protection laws in history, acting as a catalyst for many other countries to strengthen or introduce higher standards of data protection regulation as a result.
In recent times, global awareness of the importance of data privacy has increased significantly in the business world and beyond, as the use of social media including Facebook, TikTok, and WhatsApp continue to generate headlines. And with the global magnifying glass firmly in place, the UK has several considerations to assess, retaining the right to amend GDPR processes as it sees fit in the future.
Cutting through the white noise around GDPR can be difficult. With that in mind we have outlined some of the points that middle market businesses should consider to protect themselves and their valuable data.
What has changed?
The UK has adopted and enshrined the EU GDPR (with a few subtle edits that mainly relate to the administrational and geographical relevance) in domestic law, and, alongside the Data Protection Act, the regulation is now regarded as UK GDPR.
The cross-border transfer of data
The legal considerations around data transfers to non-EU countries continues to transform. Cross-border transfer of data is just as important for those that export data and those that import data, making this a critical issue.
The EU uses the term ‘adequacy’ in describing whether it regards other nations to have acceptable and appropriate data protection standards that will ensure equal or equivalent protections and rights for EU personal data.
Countries outside of the EU are regarded as ‘third countries’ and are assessed for adequacy on request. The list of approved or adequate nations appears on the European Commission website.
Bearing in mind that the breach of data protection rules results in severe fines for businesses, being prepared with a solid plan in place is vital. As such, the first step to consider is to identify the processes that involve non-EU data transfers. In the case of a lack of an “adequacy” decision, organisations must safeguard themselves against sanction.
The “in and out” transferring of UK data
The UK government has determined that all transfers from the UK to the EEA and the EU list of ‘adequate’ countries will remain lawful. As the UK is now officially a third country it has had to apply for an adequacy assessment. The Trade Cooperation (or Brexit) agreement of 24 December 2020 included a ‘freezing’ of the UK’s data protection position that would ensure temporary adequacy until such time that an assessment could be carried out. The EU gave itself 6 months to complete the assessment.
In February, much to the relief of many, the EU issued a draft statement granting the UK adequacy. This is yet to be ratified by both the EDPB and the Member States individually but increases the likelihood that the UK will be deemed adequate by June 2021. If the UK is indeed deemed adequate there will be no change to existing data transfers from the EU.
Should the EU’s initial findings be reversed and the UK fails to achieve adequacy, alternative lawful instruments will be required to maintain data flows which include a contract signed by both data sharing parties that includes EU Standard Contract Clauses (SCCs)
Any organisation that does not have an office in the EU but supply goods or services to individuals in the EU may need to appoint an official representative and add the details to their Privacy Notice. This is to ensure that EU data subjects have a local contact for data protection matters.
Organisations outside of the UK with no office in the UK and supplying goods or services to individuals within the UK will need to appoint a UK representative.
One Stop Shop (cross border Authority collaboration)
Following Brexit, the ICO will no longer be part of the EU ‘one stop shop’ collaboration of Supervisory Authorities. If an organisation supplies goods or services to individuals in an EU territory and an issue occurs, any subsequent investigation will take place in both territories with the potential of two separate fines.
GDPR checklist to consider
Most businesses remain unprepared for what the future holds. UK business’ need to amend their GDPR documentation to align it with the requirements of the UK GDPR. In particular, Article 30 records of processing activities, privacy notices, Data Protection Impact Assessments (DPIAs), Data Subject Access Requests (DSARs) and documentation covering international data flows must all reflect the UK’s independent authority and the specific scope and wording of the GDPR.
The below outlines a speedy checklist of some of the vital GDPR considerations for businesses.
1. Updating your privacy notice
All company privacy notices online must now specifically state ‘UK GDPR’, as opposed to ‘EU GDPR’. Businesses will also need standard contractual clauses in place with a view to covering all parties involved.
The Information Commissioner’s Office (ICO) offers a list of necessities in terms of what needs to be included in the standard contractual clause. This can be found here. The ICO will remain in its position as the UK regulator for data protection and will frequently liaise with each EU member state.
2. Assessments of data privacy
All companies that run applications and software should, through best practice, carry out a Data Privacy Impact Assessment. A good example is the use of a cloud-based system – as a company you must be confident that your service provider adheres to UK GDPR and stores the data within the European Economic Area (EEA), or has a binding corporate agreement with the company, if data is stored outside of the EEA.
3. Legislation review
Ensure that your contracts contain contractual clauses specifying the responsibilities of both the data controller and the data processor. If you are receiving personal data from a country territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers.
4. Cyber health check
The ICO continues to weigh in on those who are not following the rules, making now the ideal opportunity for all companies to assess GDPR compliance and their cyber security controls. Falling foul of handling data can be prevented with the right controls and processes in place, along with adequate user education and training.
Moving forward, it is imperative that businesses prepare their data storage, including ensuring strong technical controls are in place to prevent a data breach. As mentioned, the ICO has been unafraid to set examples by imposing hefty fines on a number of companies for seemingly failing to protect the data of millions.
Preventing a data breach through robust IT controls, or identifying potential cyber-attacks early through regular logging and monitoring of network activity, will help to reduce the likelihood of a cyber- attack and the disruption and reputation damage which can be caused by investigations and adverse PR following a data breach.