This month the General Data Protection Regulations (GDPR
) celebrates its second birthday. Thinking back to the months preceding May 2018 you are likely to remember the consent emails that flooded your inbox for subscriptions you never knew you had and the IT and marketing teams looking slightly stressed.
All the pre-GDPR fluster may seem a distant memory now; however, the end of the Brexit transition period has meant organisations that process personal data from EU/EEA Member States must ensure their privacy and data protection policies and procedures have been updated to incorporate changes resulting from the UK leaving the EU.
In this article we look at how the GDPR in relation to the UK changed on 1 January 2021 and talk about the following key issues that data owners and processers need to know to ensure ongoing compliance:
- What is the UK GDPR?
- Has the EU granted the UK Adequacy?
- Do I need to appoint an EU/EEA representative?
- Has the ICO issued any significant fines over the past 23 months?
What is the UK GDPR?
During the Brexit transition period which lasted from January 2020 to 1 January 2020 (EU Exit Day), the GDPR applied to UK organisations as it had done since its implementation in May 2018. As with many other EU laws, the principles and regulations of the GDPR were transposed into what is now known as the UK GDPR. From Brexit Day, the EU GDPR ceased to apply to UK personal data; however, it continues to apply to EU personal data processed by UK-based organisations.
Confused yet? No one could blame you. Let us break it down further.
UK organisations that process personal data from an EU/EEA Member State must comply with EU GDPR principles as well as the UK GDPR and the Data Protection Act 2018. EU-based organisations processing UK personal data must observe both UK GDPR and EU GDPR.
Has the UK been granted Adequacy?
If the EU grants another country Adequacy it means that, following extensive investigation and consideration, the EU Commission has decided that a particular nation’s data protection laws are ‘adequate’, therefore additional safeguards when sending personal data to and from an EU State are not required.
The British Government is still waiting to see whether the EU will grant the UK Adequacy. The UK GDPR automatically recognised all EU/EEA Member States as adequate and recognised all existing EU adequacy decisions as UK adequate.
To ensure data continues to flow freely between the UK and EU a six-month bridging period, starting on 1 January 2021, was agreed under the UK-EU Trade and Cooperation Agreement.
Although a draft Adequacy Decision has been published, there is no guarantee that all 27 Member States will approve the document thereby granting Adequacy. Many EU countries have serious concerns about UK security and criminal justice practices, especially the Investigatory Powers Act 2016, otherwise known as the “Snoopers' Charter” and the growing dependence by the UK police force on US-based public cloud services
If Adequacy is not granted businesses wishing to transfer data from an EU Member State to the UK or other third countries such as America will need to use alternative transfer mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
Do I need to appoint an EU/EEA-based representative?
After EU Exit Day, the ICO no longer acts as the Lead Supervisory Authority (LSA) concerning data protection matters for all UK companies. Before EU Exit Day, if an organisation suffered a data breach, the ICO took control, and the company did not need to contact supervising authorities in the other EU/EEA Member States. Businesses that process data from EU/EEA data subjects and do not have an office or other form of base in an EU/EEA Member State must appoint a representative.
A GDPR representative can be an individual or company (such as a lawyer or GDPR consultant). They must be based in a Member State where some of the organisation's data subjects are situated. The appointment needs to be made in writing with the relationship clearly detailed.
Has the ICO issued any significant fines under the GDPR?
The ICO have been busy over the past 23 months, resulting in several high-profile GDPR fines. In October 2020, a well-known airline company received a £20 million penalty after more than 400,000 of its customers had their personal data harvested by criminals following a cyber attack. Initially, the Information Commissioner’s Office (ICO) planned to hand down a £183.39 million fine to the airline. Information Commissioner Elizabeth Denham said in 2019:
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience."
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Also in October 2020, an international hotel had to pay a fine of £18.4 million, reduced from the initial sum of £99.2 million following a significant data breach.
Not only does a data breach involve the risk of large GDPR fines, organisations under ICO investigations face significant legal costs and loss of trust from not only customers but potential investors and commercial partners.
It should be noted that government departments are not exempt from the ICO’s reach. In 2019, HMRC was handed an enforcement notice because it accumulated, held, and used biometric data via its Voice ID service despite having no lawful basis for doing so, an absence of customer consent, and with little or no consideration for the data protection principles.
Five steps to take now to be post-Brexit GDPR compliant:
Data protection and privacy compliance is an ongoing commitment. A sure-fire way to inadvertently commit a breach is to rely on the compliance measures you made two years ago. To protect your business and the data it holds, regularly action the below:
- Map data flows to and from the EU/EEA to identify what compliance steps need to be taken. In turn, data flows within the UK should be regularly mapped to ensure that if a breach occurs or a SAR is made, you can swiftly isolate the data affected/required.
- Check if you are required to appoint an EU/EEA-based representative and put one in place if necessary.
- Identify if an EU supervising authority qualifies as a relevant LSA for your organisation’s data transactions.
- Amend existing contracts and template terms to include relevant data transfer wording and appropriate referencing to the UK GDPR and EU GDPR.
- Review the information on SCCs and BCRs to ensure your organisation is prepared for future data transfers should the EU not grant the UK Adequacy.
Please contact us to find out how our Data Protection Law Solicitors can advise and represent you on GDPR and Data Protection Matters.