Accountability is a key principle of Data Protection and organisations are expected to demonstrate that they are being accountable in relation to their Data Protection practices.
What this means in practice for organisations can be less clear, but the ICO has recently released an Accountability Framework to help organisations understand whether they are meeting the accountability principle and where there may be gaps in their current practices. This considers such areas as leadership and oversight, training and awareness raising, policies and procedures, individuals rights, transparency, records of processing and lawful basis, contracts and data sharing, risks and data protection impact assessments, records management and security and breach management. The tool can effectively support organisations in understanding where further work may be needed to ensure ongoing compliance with data protection law and the accountability principle. More information can be found on the ICO website.
Last month, the Court of Justice of the European Union ruled that the EU-US Privacy Shield is no longer valid due to US authorities potentially processing data transfers for the purposes of public security, defence and State security (including US surveillance programmes). This means that the levels of protection assured within the GDPR and EU Charter of Fundamental Rights cannot be guaranteed in relation to these transfers. The invalidation of the EU-US Privacy Shield means that companies relying on this as a lawful mechanism for data transfers can no longer do so, with immediate effect.
Although the ruling states that standard contractual clauses and binding corporate rules can still be used, additional supplementary measures may be required to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own (although no further guidance is available as yet on what these may be). Organisations are now expected to check with their third-party providers whether they are affected by relevant surveillance laws and to determine what the lawful basis is to share data with them or their sub-processors. This could include US organisations even if your data is hosted in Europe, e.g. cloud providers.
Further details on this ruling and the impact on organisations can be found in the European Data Protection Board’s FAQs.
If you require any help in this area, Evolve North can offer a review, risk assessment and remediation service to help you review your third parties, identify those that may be impacted by this ruling and identify ways of implementing additional safeguards or changing your current sharing practices to ensure these continue to be in line with European law. This will also support future planning around Brexit and how this may impact on data transfers moving forward.
In the next few weeks, due to the Coronavirus pandemic, businesses in the UK may have more employees working from home. Employees may be working on their work laptops and devices, but for some they may have to work on their personal devices. Employers have a responsibility to undertake security measures to ensure staff are working securely both when in the office and when they are working from home.
Organisations have different IT systems but here are just some of the factors which many employers will need to consider and address as part of their working from home policy:
The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021, so it will be key that relevant organisations start reviewing their practices as soon as possible to ensure they are acting in line with this Code.