Since its inception in 2018, GDPR Data Protection has evolved rapidly, and keeping up to date can be daunting for many businesses. Clients have also expressed increased concern about the effects of Brexit on their data protection compliance, and are anxious to know their obligations under the UK GDPR.
If we made sure that we were compliant with data protection law in 2018, do we need to do anything now?
Yes, it is very important to ensure that you review data protection compliance regularly. Not only does processing change over time, but case law and guidance from the ICO (the UK regulator) since the GDPR came into force should also be taken into account. Brexit may also mean that you need to look at your policies and procedures and make any necessary changes.
The ICO recommends that businesses carry out regular reviews of processing and, where appropriate, update privacy information and other documentation.
Recently, the EU Commission has finally issued new Standard Contractual Clauses (‘SCCs’) which will replace the current SCCs. Under the GDPR, where personal data is transferred to countries outside the EEA that are not deemed to provide an adequate level of protection for personal data, an appropriate safeguard must be put in place. In many cases, SCCs will be the only practical solution.
The old SCCs have been heavily criticised over recent years as not being fit for purpose. For example, they did not adequately cover transfers by processors to third countries as they were only structured for an EEA controller to transfer data to a non-EEA processor or controller, but not for an EEA based processor to transfer data.
The new SCCs are more flexible and the following transfers are covered:
For businesses currently relying on SCCs for data transfers from the EU, there will be an 18 month transition period for existing SCCs to be updated and a three month period for businesses to enter into new contracts using the old SCCs, in both cases from the date on which the Implementing Decision is published in the Official Journal of the European Union (OJEU).
The position concerning transfers from the UK is that the Information Commissioner’s Office (ICO) currently only recognises the old SCCs as a valid transfer mechanism. It is expected that new bespoke UK SCCs will be implemented but the ICO is also considering whether the new EU SCCs will be recognised.
For the time being, it is sensible to carry out a review of your data transfers to identify where data is transferred under the old SCCs and if data is transferred from the EU or the UK to third countries. Where data is transferred from the EU and the arrangement will continue for more than 18 months, new SCCs will need to be put in place. New contracts that will not be signed within the next three months will need to be signed using the new SCCs. Contracts that will be signed within the next three months, but will not last for more than 18 months, can be signed using the old SCCs. If you are transferring data only from the UK, you do not need to do anything just yet until there is further news from the ICO.
What are the risks if we fail to comply with the UK GDPR?
Potential fines can be significant – up to £17.5million or 4% of total annual worldwide turnover, whichever is higher. Supervisory authorities have shown recently that they are not afraid of imposing large fines and record-breaking fines have been imposed since the GDPR was implemented. The largest fine to date was €50 million (or £43.2 million) which the French Regulator imposed on Google for various failures to comply with data protection law.
Reputational risk for failure to comply with the law should also be taken into account – data is very important to many businesses and if customers are concerned that you will not handle their data correctly then they may be unwilling to provide it to you. Cyber attacks can also expose inadequate policies and procedures.
What is the best way to review data protection compliance?
Audits are an effective way of identifying any errors or areas that require attention. Many businesses put in place policies and procedures (in many cases under significant time pressure) before the implementation of the GDPR but have not reviewed their compliance since then, which means that there may be gaps in compliance or issues you are not aware of. Such issues might only come to light if there is a data breach, subject access request or ICO investigation – by which point it may well be too late to fix the problem.
Is employee training important?
Training staff is an important step, not only because it helps to reduce the risk of a data breach. Employees are a key part of ensuring your business complies with data protection law, so they must be reminded of their obligations and responsibilities to the business. For example, the effectiveness of a good policy on subject access requests can be limited if employees do not know exactly what they need to do if they receive such a request.
We are an overseas company, do we need to comply with the UK GDPR?
The UK GDPR has an extra-territorial effect. Generally speaking, this means that it applies to businesses with an establishment in the UK (such as a UK branch), and those which (a) ‘target’ individuals in the UK by offering them goods or services; or (b) ‘monitor’ their behaviour, so far as their behaviour takes place in the UK. If you are unsure as to whether the UK GDPR applies to you, it is important to seek advice concerning your particular circumstances.
3CS offer an annual compliance service which includes: an audit to identify any gaps in your compliance before they become an issue, amending your documents where required, training for employees, and advice on urgent issues such as data breaches or investigations.
(Source: 3CS Corporate Solicitors)