Evolve North are closely monitoring the official guidance from Public Health England. We have been vigilant in ensuring the health and well-being of our staff by enabling all our staff to work from home for as long as necessary.
We are fortunate to be able to continue working with no interruptions and can offer all of our services, in full, remotely.
Nearly a year on from its inaugural event, the Northern Information Governance Forum continues to support information governance and IT Security professionals in the North and Scotland, encouraging shared learning and providing networking opportunities.
Although the NIGF cannot currently meet in person, they have instead launched two weekly webinars aimed at promoting discussion around different aspects of privacy and information security. This month, the NIGF Committee will be leading a discussion on third party governance on the 1st; Mark Dennis from Evolve North will be speaking about the impact of user error on the 15th and there is a great opportunity to hear Peter Loomes from IASME, talk about the IASME Governance standard and Cyber Essentials on the 29th.
Accountability is a key principle of Data Protection and organisations are expected to demonstrate that they are being accountable in relation to their Data Protection practices.
What this means in practice for organisations can be less clear, but the ICO has recently released an Accountability Framework to help organisations understand whether they are meeting the accountability principle and where there may be gaps in their current practices. This considers such areas as leadership and oversight, training and awareness raising, policies and procedures, individuals rights, transparency, records of processing and lawful basis, contracts and data sharing, risks and data protection impact assessments, records management and security and breach management. The tool can effectively support organisations in understanding where further work may be needed to ensure ongoing compliance with data protection law and the accountability principle. More information can be found on the ICO website.
Last month, the Court of Justice of the European Union ruled that the EU-US Privacy Shield is no longer valid due to US authorities potentially processing data transfers for the purposes of public security, defence and State security (including US surveillance programmes). This means that the levels of protection assured within the GDPR and EU Charter of Fundamental Rights cannot be guaranteed in relation to these transfers. The invalidation of the EU-US Privacy Shield means that companies relying on this as a lawful mechanism for data transfers can no longer do so, with immediate effect.
Although the ruling states that standard contractual clauses and binding corporate rules can still be used, additional supplementary measures may be required to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own (although no further guidance is available as yet on what these may be). Organisations are now expected to check with their third-party providers whether they are affected by relevant surveillance laws and to determine what the lawful basis is to share data with them or their sub-processors. This could include US organisations even if your data is hosted in Europe, e.g. cloud providers.
Further details on this ruling and the impact on organisations can be found in the European Data Protection Board’s FAQs.
If you require any help in this area, Evolve North can offer a review, risk assessment and remediation service to help you review your third parties, identify those that may be impacted by this ruling and identify ways of implementing additional safeguards or changing your current sharing practices to ensure these continue to be in line with European law. This will also support future planning around Brexit and how this may impact on data transfers moving forward.