The UK has officially left the European Union now that the transition period has ended on January 1st 2021. But this could raise issues with one of the biggest bugbears for many companies – the international transfer of personal data.
Businesses can relax, somewhat – GDPR, which took businesses months to get their heads around, is not being replaced. It will continue as the UK GDPR 2018, and will still be based on the criteria of the Data Protection Act of 2018. However, the UK will retain the right to change the UK GDPR as it sees fit in the future.
The main changes apply to those who receive data coming into the UK from Europe. Transfers from the UK to other countries can continue under existing arrangements.
We know it can be difficult to cut through the legal jargon, so we have simplified what you need to know to protect yourself and your data:
Update your privacy notice
Most businesses do not have the correct clauses in place ahead of January 1st, potentially exposing their liability should something happen to their data. All company privacy notices online will need to be updated to specifically state ‘UK GDPR’, as opposed to ‘EU GDPR’. Businesses will also need standard contractual clauses in place, which cover both parties – those transferring and those receiving the data.
The Information Commissioner’s Office (ICO) has a list of what needs to be included in the standard contractual clause here. The ICO will remain the UK regulator for data protection, regularly liaising with each EU member state.
This also applies to Multi Corporate Groups that operate in multiple countries, who need to update their documentation and privacy notice to expressly cover the data transfers. The UK has applied for an adequacy assessment, which would negate the need for contractual clauses, however, this has not yet been approved by the EU.
More from Guides
- EU Regulation 261/2004: Know Your Rights
- Tony Brain: 3 Top Tips for Job Seekers in the SAP on Cloud Space
- Top Bedding Companies in the UK
- How Has Sports Betting Changed With The Advent of The Internet?
- What Is A Stamp Duty Rebate?
- Simon Randall, CEO of Pimloc: How Could Ethical AI Influence Data Laws?
- What Does It Take To Maintain An Electric Vehicle?
- Could Your Innovative Business Idea Qualify For A UK Innovator Visa?
Data privacy assessments
Any company that runs applications and software should always perform a Data Privacy Impact Assessment. This was in the guidelines before, but these assessments are now more important for those who outsource their IT operations internationally.
For example, when using a service such as a cloud-based system, the company must be sure that its service provider adheres to UK GDPR and stores the data within the European Economic Area (EEA), or has a binding corporate agreement with the company, where data is stored outside of the EEA. You should also, as mentioned above, make sure that a contractual clause is in place.
Review local legislation
Contracts should now have contractual clauses that specify the responsibilities of the data controller and the data processor. If you are receiving personal data from a country territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. You should check local legislation and guidance in this case.
Cyber Security health check
The ICO is increasing its capacity and efforts to crack down on data breaches, post-Brexit. Now is a great time for all companies to have a health check to understand their Information Security posture and GDPR compliance. Nobody wants to be caught handling data improperly and fined when it could have been prevented with education and training.
A gap analysis performed by an expert is money well-spent. It’s also a fact that companies that have cybersecurity and Information Security controls are not only able to better defend against attacks but are also far better placed to recover from an attack.
It’s important that all businesses – large and small – are properly preparing their data storage for the coming weeks. ICO has been busy setting examples by fining large, high-profile companies for failing to keep millions of customers’ personal data safe.
It will continue to come down hard on the data breaches of personal identifiable information and special categories of data. The saying ‘prevention is better than cure’ rings truer than ever this year, and you will thank yourself if you make the efforts to properly store your data now, and not when it’s too late.
Written by John Flynn, Principal Security Consultant at Conosco