The EU General Data Protection Regulation went live at the end of May 2018, followed closely by the new UK Data Protection Act 2018. Both have had significant implications for organisations handling personal data and for many, the last two years have been a time of making sense of the legislation, understanding what the legislation means for their business and trying to implement improvements where current practices have been found to be lacking.
Many of the organisations we’ve supported, have made huge steps forward in data protection compliance, including improved practices around:
- Ensuring their staff understand their obligations in relation to data protection and IT Security
- Implementing a Privacy by Design approach to effectively managing information risks
- Ensuring they have clear processes in place for dealing with data breaches
- Supporting individual’s rights via clear privacy notices which document how individuals can exercise these rights
- Improved technical security of systems processing personal data
However, there is still work to be done, and even where clear structures are in place for managing risks to personal data, it will be key that these are effectively rolled out and used across your organisation. The ICO’s One Year On update reported their focus for the next year, alongside generally promoting and regulating data protection across the UK will be around their key regulatory areas of:
- Cyber security
- AI, big data and machine learning
- Web and cross-device tracking for marketing purposes
- Children’s privacy
- Use of surveillance and facial recognition technology
As supervisory authorities across Europe start to use their strengthened powers to fine and prosecute organisations and individuals, it will be key for all organisations to remain focused on implementing improvements in all areas of Data Protection and IT Security through 2019-20 and beyond.
Evolve North is hosting a half day free of charge practical workshop with Muckle LLP on managing the Data Protection challenges in the post Brexit environment. The workshop will address Legal, Technical and Procedural issues. The event is going to be hosting at Newcastle University Business School, Barrack Road in Newcastle and includes lunch.
Below is some detailed information on the event with a booking link. It's set to be a popular event so we really hope you you can make it. Please contact us if you have questions or need assistance.
The Government has created draft legislation with respect to revising the current data protection laws under the proposed Withdrawal Agreement
The draft legislation, The data protection, privacy and electronic communications (amendments etc) (EU exit) regulations 2019, have been prepared to ensure that the UK data protection legal framework continues to function correctly after Brexit. The instrument amends the Privacy and Electronic Communications Regulations 2003 (PECR), UK GDPR and the DP Act 2018. The Brexit Withdrawal Agreement retains the GDPR as part of UK domestic law. This instrument establishes transitional provisions in the DP Act 2018 in relation to adequacy decisions, standard contractual clauses and binding corporate rules. The use of Standard Contractual Clauses that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK to third countries after exit day. For the purposes of the PECR, the GDPR definition of consent will apply. "The DP Act 2018 extended GDPR standards to general processing activities that were outside the scope of EU law via the ‘applied GDPR’. As the GDPR will no longer apply directly in the UK, this instrument introduces a single regime for general processing activities known as the UK GDPR. It is necessary to make changes throughout the DP Act 2018, and to other legislation, as a result of this," the government says. This instrument will remove references in the UK GDPR, for example, to EU Member States, Union law and the European Commission; replacing them, where appropriate, with references that will operate correctly in domestic law. The functions that are assigned to the European Commission in the GDPR will be transferred to the Secretary of State or the Information Commissioner.
Evolve North Guidance
- This appears to be primarily an amendment to remove references to the European Union within UK data protection law
- Ensure that you review any existing standard contractual clauses and binding corporate rules you currently have in place
- Review your Information Asset Register to ensure it is accurate and clearly identifies the physical location of your data
- "Applied GDPR" is extended to general processing activity outside of the scope of the EU
- The GDPR is extended as part of the Data Protection Act 2018 and remains part of UK domestic law and must be complied with
If you require any assistance, clarification or guidance, please do not hesitate to contact us.
The Information Commissioner's Office has issued the following guidance in the event of a “no deal Brexit”
“The basis on which the UK will leave the EU has still to be decided. The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow. But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR. But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data. In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected”
Evolve North Guidance
- Establish the location and flow of all personal data within your business – do not assume your client or staff data is not held or processed in the EEA
- It is likely in the event of a “no deal Brexit” that personal data transfers from the EEA to the UK will be affected – ensure you pre-empt by establishing data sharing and processing agreements in advance
- EEA organisations will likely want you to provide evidence of your compliance with the GDPR and possibly other standards including ISO27001
- Have your supporting documentation in place and up to date
The following links provide further advice:
If you require any assistance, clarification or guidance, please do not hesitate to contact us. We are providing gap analysis and remediation services with respect to managing Data Protection if there is a “no deal Brexit”.