In the wake of the UK’s departure from the EU, businesses have been left pondering the impact that Brexit will have on data protection regulations and what steps should be followed in order to comply with any new UK GDPR laws and legislation.
Almost three years on since the EU General Data Protection Regulation (GDPR) was introduced, this privacy law remains one of the most far-reaching data protection laws in history, acting as a catalyst for many other countries to strengthen or introduce higher standards of data protection regulation as a result.
In recent times, global awareness of the importance of data privacy has increased significantly in the business world and beyond, as the use of social media including Facebook, TikTok, and WhatsApp continue to generate headlines. And with the global magnifying glass firmly in place, the UK has several considerations to assess, retaining the right to amend GDPR processes as it sees fit in the future.
Cutting through the white noise around GDPR can be difficult. With that in mind we have outlined some of the points that middle market businesses should consider to protect themselves and their valuable data.
The UK has adopted and enshrined the EU GDPR (with a few subtle edits that mainly relate to the administrational and geographical relevance) in domestic law, and, alongside the Data Protection Act, the regulation is now regarded as UK GDPR.
The legal considerations around data transfers to non-EU countries continues to transform. Cross-border transfer of data is just as important for those that export data and those that import data, making this a critical issue.
The EU uses the term ‘adequacy’ in describing whether it regards other nations to have acceptable and appropriate data protection standards that will ensure equal or equivalent protections and rights for EU personal data.
Countries outside of the EU are regarded as ‘third countries’ and are assessed for adequacy on request. The list of approved or adequate nations appears on the European Commission website.
Bearing in mind that the breach of data protection rules results in severe fines for businesses, being prepared with a solid plan in place is vital. As such, the first step to consider is to identify the processes that involve non-EU data transfers. In the case of a lack of an “adequacy” decision, organisations must safeguard themselves against sanction.