Since its inception in 2018, GDPR Data Protection has evolved rapidly, and keeping up to date can be daunting for many businesses. Clients have also expressed increased concern about the effects of Brexit on their data protection compliance, and are anxious to know their obligations under the UK GDPR.
If we made sure that we were compliant with data protection law in 2018, do we need to do anything now?
Yes, it is very important to ensure that you review data protection compliance regularly. Not only does processing change over time, but case law and guidance from the ICO (the UK regulator) since the GDPR came into force should also be taken into account. Brexit may also mean that you need to look at your policies and procedures and make any necessary changes.
The ICO recommends that businesses carry out regular reviews of processing and, where appropriate, update privacy information and other documentation.
Recently, the EU Commission has finally issued new Standard Contractual Clauses (‘SCCs’) which will replace the current SCCs. Under the GDPR, where personal data is transferred to countries outside the EEA that are not deemed to provide an adequate level of protection for personal data, an appropriate safeguard must be put in place. In many cases, SCCs will be the only practical solution.
The old SCCs have been heavily criticised over recent years as not being fit for purpose. For example, they did not adequately cover transfers by processors to third countries as they were only structured for an EEA controller to transfer data to a non-EEA processor or controller, but not for an EEA based processor to transfer data.
The new SCCs are more flexible and the following transfers are covered:
For businesses currently relying on SCCs for data transfers from the EU, there will be an 18 month transition period for existing SCCs to be updated and a three month period for businesses to enter into new contracts using the old SCCs, in both cases from the date on which the Implementing Decision is published in the Official Journal of the European Union (OJEU).
The position concerning transfers from the UK is that the Information Commissioner’s Office (ICO) currently only recognises the old SCCs as a valid transfer mechanism. It is expected that new bespoke UK SCCs will be implemented but the ICO is also considering whether the new EU SCCs will be recognised.
For the time being, it is sensible to carry out a review of your data transfers to identify where data is transferred under the old SCCs and if data is transferred from the EU or the UK to third countries. Where data is transferred from the EU and the arrangement will continue for more than 18 months, new SCCs will need to be put in place. New contracts that will not be signed within the next three months will need to be signed using the new SCCs. Contracts that will be signed within the next three months, but will not last for more than 18 months, can be signed using the old SCCs. If you are transferring data only from the UK, you do not need to do anything just yet until there is further news from the ICO.
What are the risks if we fail to comply with the UK GDPR?
Potential fines can be significant – up to £17.5million or 4% of total annual worldwide turnover, whichever is higher. Supervisory authorities have shown recently that they are not afraid of imposing large fines and record-breaking fines have been imposed since the GDPR was implemented. The largest fine to date was €50 million (or £43.2 million) which the French Regulator imposed on Google for various failures to comply with data protection law.
Reputational risk for failure to comply with the law should also be taken into account – data is very important to many businesses and if customers are concerned that you will not handle their data correctly then they may be unwilling to provide it to you. Cyber attacks can also expose inadequate policies and procedures.
What is the best way to review data protection compliance?
Audits are an effective way of identifying any errors or areas that require attention. Many businesses put in place policies and procedures (in many cases under significant time pressure) before the implementation of the GDPR but have not reviewed their compliance since then, which means that there may be gaps in compliance or issues you are not aware of. Such issues might only come to light if there is a data breach, subject access request or ICO investigation – by which point it may well be too late to fix the problem.
Is employee training important?
Training staff is an important step, not only because it helps to reduce the risk of a data breach. Employees are a key part of ensuring your business complies with data protection law, so they must be reminded of their obligations and responsibilities to the business. For example, the effectiveness of a good policy on subject access requests can be limited if employees do not know exactly what they need to do if they receive such a request.
We are an overseas company, do we need to comply with the UK GDPR?
The UK GDPR has an extra-territorial effect. Generally speaking, this means that it applies to businesses with an establishment in the UK (such as a UK branch), and those which (a) ‘target’ individuals in the UK by offering them goods or services; or (b) ‘monitor’ their behaviour, so far as their behaviour takes place in the UK. If you are unsure as to whether the UK GDPR applies to you, it is important to seek advice concerning your particular circumstances.
3CS offer an annual compliance service which includes: an audit to identify any gaps in your compliance before they become an issue, amending your documents where required, training for employees, and advice on urgent issues such as data breaches or investigations.
(Source: 3CS Corporate Solicitors)
自2018年成立以来,GDPR数据保护一直在快速发展,对许多企业来说,保持更新是一项艰巨的任务。越来越多的客户对英国脱欧引发数据保护合规的影响表示了越来越多的担忧,并急于了解他们在英国GDPR下的义务。
如果我们在2018年确保遵守了数据保护法,我们现在还需要做什么吗?
是的,确保定期检查数据保护合规非常重要。不仅处理过程会随着时间的推移而改变,而且判例法和GDPR生效后的ICO(英国监管机构)的指导也应该被考虑进去。英国脱欧也意味着您需要审视自己的政策和程序,做出任何必要的改变。
ICO建议企业定期审查处理过程,并在适当情况下更新隐私信息和其他文件。
最近,欧盟委员会终于发布了新的标准合同条款(“SCCSs’”),将取代现有的标准合同条款。根据《GDPR》,如果个人数据被转移到欧洲经济区以外的国家,而这些国家被认为没有为个人数据提供足够水平的保护,则必须设置适当的保护措施。在许多情况下,SCCs将是唯一可行的解决方案。
近些年来,以前的SCCSs因为不符合要求而受到了严厉的批评。例如它们没有充分涵盖处理者向第三国的传输,因为它们只是为EEA处理者向非EEA处理者或控制者传输数据而设计的,而不是为基于EEA的处理者传输数据。
新的SCCSs更灵活,包括下列转移:
i 控制者对控制者;
ii.控制者对处理者;
iii.处理者对副处理者;和
iv.处理者到控制者。
至于现时依靠SCCs从欧盟传送数据的企业,将会有18个月的过渡期,以更新现有的SCCs,以及3个月的过渡期,让企业使用旧的SCCs签订新合约,在这两种情况下,自执行决定在欧洲联盟官方公报(OJEU)上公布之日起生效。
关于来自英国的转移,信息专员办公室(ICO)目前只承认旧的SCCSs是有效的转移机制。预计英国将实施新的定制SCCSs,但ICO也在考虑欧盟的新SCCSs是否会得到认可。
目前,明智的做法是检查您的数据转移,以确定在旧的SCCSs下,数据转移到哪里,以及数据是否从欧盟或英国转移到第三国。如果从欧盟转移的数据将持续超过18个月,则需要设立新的SCCSs。在未来三个月内不能签署的新合同将需要使用新的SCCs签署。将在未来三个月内签署但有效期不超过18个月的合同,可以使用旧SCCs签署。如果您只从英国传输数据,在ICO有进一步消息之前,不需要做任何事情。
如果我们不遵守英国GDPR,会有什么风险?
罚款数额很大,最高可达1750万英镑,或全球年营业额的4%,两者以较高者为准。英国监管部门最近表示,他们并不担心开出巨额罚款,自《GDPR》实施以来,已开出了破纪录的罚款。迄今为止,法国监管机构对谷歌开出的最高罚单是5000万欧元(合4320万英镑),原因是谷歌未能遵守数据保护法。
不遵守法律的声誉风险也应该考虑在内——数据对许多企业非常重要,如果客户担心您不会正确处理他们的数据,那么他们可能也不愿意给您提供他们的数据。网络攻击也会暴露政策和程序的不足。
审查数据保护合规的最佳方法是什么?
审计是识别任何错误或需要注意的领域的有效方法。许多企业在实施GDPR之前已经制定了政策和程序(在许多情况下是在很大的时间压力下),但此后没有对其合规性进行审查,这意味着可能存在您没有意识到的合规性差距或问题。这些问题可能只有在出现数据泄露、访问请求或ICO调查时才会曝光——到那时,解决问题可能已经太晚了。
员工培训重要吗?
培训员工是一个重要的步骤,不仅因为它有助于减少数据泄露的风险。员工是确保企业遵守数据保护法的关键部分,因此必须提醒他们对企业的义务和责任。例如,如果员工不知道如果他们收到主体访问请求时需要做什么,那么关于其良好策略的有效性可能会受到限制。
我们是一家海外公司,我们需要遵守英国GDPR吗?
英国GDPR具有域外效应。一般来说,这意味着它适用于在英国设立机构(如英国分支机构)的企业,只要他们的行为发生在英国,以及那些(a)通过向英国的个人提供商品或服务来“瞄准”个人的企业;或(b)“监督”他们的行为。如果您不确定英国GDPR是否适用于您,重要的是寻求关于您的特定情况的建议。
(来源:3CS律师事务所)
WeChat Official Account:
