28th of January 2019 marks the first International Data Protection Day since GDPR came into force on 25th of May last year. It is a good time to look back and see how far your organisation has come, and what the future holds – you may still be on your journey to full compliance with GDPR, which is fine so long as you have a plan that you are working towards.
For many organisations, this was the first real change in the way that they thought about protecting personal data, with many last minute attempts to gain consent and change Data Protection Notices and Privacy Notices, as well as Data Processing. Things have now changed and organisations are more aware of respecting and protecting the data of individuals.
While the 25th of May deadline will be burned into the minds of all involved with personal data for a long time to come, the country achieved a massive step forward – through a huge amount of hard work – in protecting individuals’ rights. We are already seeing punishments and fines for those who fail to comply, such as Google’s €50million fine by the French Regulator.
Data protection in 2019, and Brexit
2019 marks that year that the UK will (in all probability at time of writing) leave the EU, most likely without any deal. Firstly, this does not mean that all the hard work in preparing for GDPR will go to waste as the UK will incorporate GDPR into it own legislation and the Data Protection Act 2018 is still in effect. While it is uncertain how the UK will leave the EU and how this will be reflected in the working relationship with Europe, a ‘No Deal Brexit’ is the scenario that will require the most work from a data protection perspective.
The Information Commissioners’ Office (ICO) have produced guidance and templates in the form of a Six Step Guide to help organisations prepare for Brexit.
ICO’s guidance on leaving the EU
The six steps are all logical ones to check if the change in status of the UK will change the data transfer mechanisms for your organisation, the suggested steps are:
- Continue to Comply – GDPR and the Data Protection Act 2018 remain effective in the UK.
- Transfers to the UK – in particular you will need to review where personal data are received from organisations in the EEA, more details below.
- Transfers from the UK – while transferring to the EEA and countries with adequacy will remain fine in the short to medium term, this will need to be kept under review as the UK develops away from the EU. Transfers to the USA will need to be reviewed as below.
- European Operations – if your organisation is across Europe, you may need to look at your data flows and where the change in status of the UK will affect this.
- Documentation – you will need to check any Privacy Notices / Data Protection Notices as well as Data Records and update these if you basis for transfer from or to the UK changes.
- Organisational Awareness – make sure any key people in your organisation are aware of the changes, particularly any IT team, procurement team and if you have a team preparing for Brexit.
There are some other considerations to make in addition to this. Firstly, that personal data transferred within the UK – due to the Data Protection Act 2018 – and transfers to the EU 27, EEA, or countries with and Adequacy Decision, will require no change as the UK government will respect EU adequacy decisions until they are able to make their own adequacy decisions in the Future.
There will need to be changes with regards to transfers from the EEA. Unless and until there is an adequacy decision by the EU about the UK, which is something the Government is looking for, then organisations wishing to transfer personal data to the UK for processing will need one of the following;
- Binding Corporate Rules, these are suitable for organisations with branches in the EEA and the UK where personal data is processed within the organisation.
- Standard Contractual Clauses. These are drafted by the Commission and cannot be altered, they are a lift and complete contract. Both parties have to agree to the terms within. The ICO has produced guidance on when these would need to apply and also created an interactive downloadable version to help organisations prepare for a No Deal scenario, or a deal with does not have an adequacy decision, or remaining within the EEA.
For transfers to the USA, it is only personal data transferred under the Privacy Shield that UK organisations will need to change their approach – by ensuring that any American organisation receiving data has updated its Privacy Shield to include the UK as well as EU. For other means of transferring personal data, either under Binding Corporate Rules or Standard Contractual Clauses, there will be no change needed
In summary, if the political decision changes and the country either remains in the EU or the EEA, then no changes will be needed. Any changes that are needed – listed above – are well set out by the ICO in the links above.
We hope you have an enjoyable International Data Protection Day (of course, every day is a data protection day!) We will be celebrating here with quizzes, cupcakes and our very own Derek, the Data Protection Bug who is here to remind everyone Think Data Protection!