Interesting Articles

The Information Commissioner's Office has issued the following guidance in the event of a “no deal Brexit”

“The basis on which the UK will leave the EU has still to be decided. The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow. But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR. But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data. In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected”

Evolve North Guidance

  • Establish the location and flow of all personal data within your business – do not assume your client or staff data is not held or processed in the EEA
  • It is likely in the event of a “no deal Brexit” that personal data transfers from the EEA to the UK will be affected – ensure you pre-empt by establishing data sharing and processing agreements in advance
  • EEA organisations will likely want you to provide evidence of your compliance with the GDPR and possibly other standards including ISO27001
  • Have your supporting documentation in place and up to date

 The following links provide further advice:

If you require any assistance, clarification or guidance, please do not hesitate to contact us. We are providing gap analysis and remediation services with respect to managing Data Protection if there is a “no deal Brexit”.

Data Protection Officer

This article addresses some of the most common questions we receive about the role of the Data Protection Officer (DPO):

  • Do we need a DPO?
  • What type of person does the DPO need to be?
  • What are the tasks of the DPO?
  • What different models are there for delivering a DPO function?
  • How can Evolve North help?

GDPR and Marketing

The introduction of the EU General Data Protection Regulation and the associated UK Data Protection Act 2018 has led to concerns and confusion within businesses around what they can and can’t do with personal information.

One area of concern is if and how existing contacts can be used for marketing purposes, and if so what do they need to do to make sure this is legal and in line with the new regulations.  Businesses are worried they may need to delete customer databases and the potential monetary impact this may have on their business.

So, what is the truth behind GDPR and marketing and could it in fact be a force for good? This article provides some guidance on what this may mean for your business and quashes some of the myths currently in circulation.

Dealing with Subject Access Requests

Under Article 15 of the EU General Data Protection Regulation, individuals have a right of access which allows them to request the personal information an organisation might hold about them. In addition, under Article 20 they also have a right of data portability, which means that they can request electronic information in a format that allows them to easily transfer this information to another organisation e.g. in a structured, commonly used and machine-readable format. These rights are part of a broader range of rights that individuals are provided under the EU GDPR and the UK Data Protection Act 2018.

Although this right of access was available under the old Data Protection Act (commonly known as subject access requests) there have been changes to this right, which means that in the majority of cases you can no longer charge for these requests (unless to provide further copies or where the request is manifestly unfounded of excessive); in most cases you will need to respond within one month (rather than the original 40 days) and these requests no longer have to be in writing. In addition, there have been some changes to the exemptions that apply around the release of certain types of information (although many are still the same).

For businesses and organisations, this change will require a new way of implementing or updating standard procedures around how these requests will be dealt with. It will be key to ensure that everyone within your organisation can recognise and respond to data access requests upon arrival to guarantee that they are dealt with effectively and to timescale.