Act now to ensure compliance with Data Protection Law
At the end of December 2020, the Brexit transition period will end and new rules will apply to Data Protection law. At 11 pm on the 31st December, the UK will be independent of the EU and will be required to make changes to its laws. Out goes the EU General Data Protection Regulation and in comes the new Data Protection, Privacy and Electronic Communications Regulation, or the UK GDPR. It isn’t that different with only a few minor amendments at this time. The recent ICO webinar called 'Keep Data Flowing’ points out a few important things to do in light of this. For example, it says that you should update your policy framework to reflect your obligations to the UK GDPR.
Please see the link below for the ICO's webinar 'Keep Data Flowing'
More importantly, if you’re processing personal data means that the data crosses a border you need to take immediate action. When the transition period ends the UK will lose its EU Adequacy Decision. This will make the UK a Third Country and in theory, one that is not adequately equipped to ensure the fundamental rights and freedoms of individuals can be upheld. Despite the fact that as I write this we are ‘adequate’, a reassessment of our arrangement has already begun. One stumbling block to regaining adequacy will be our UK ‘snooping’ laws. The Investigatory Powers Act 2016 gives the government powers to intercept communications, to retain internet records and to undertake mass surveillance if it needs to. The EU are not keen on such intrusive arrangements and may request before an adequacy decision can be made, that this law is amended.
In the meantime, this leaves organisations transferring data overseas into EEA countries with a new challenge. Even if you are not processing the data of EU citizens you may be storing data in the EU. This might be via a Cloud, or local servers used for backing up. If this is the case, you will need to ensure there is a documented safeguard in place. Commonly, the safeguard is the EU Standard Contractual Clauses (SCCs), the UK is developing its own SCCs for the future. The EU SCCs are standard documents which cannot be amended and are downloadable from the ICO’s website here’s a link:
There is one for controller to controller and another for controller to processor. This agreement between you and the other party who is receiving your data must be in place as soon as possible. The risk is not so much your transfer of data to the EU, more the access the EU based service allows you. Effectively, the EU organisations may be in breach of EU law by allowing data to flow back into an inadequate country without such safeguards in place. It is possible without such a safeguard; you may not be able to access your own data, so we urge you to act now to fully protect your information and prevent any disruption to your services.
If you require further advice concerning compliance with data protection law, please get in touch with us
0330 111 0013