So we have a Brexit Trade Deal. What now for GDPR and international transfers?

blur cartography close up concept
Photo by slon_dot_pics on Pexels.com

So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

The Brexit Trade Deal: Implications for Data Protection and International Transfers

cytonn-photography-n95VMLxqM2I-unsplash

December 2020 Update: This post was originally titled “Brexit, Trade Deals and GDPR: What happens next?’ and published in September 2020. It was updated on 26th December 2020.


So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

Boris, Brexit and GDPR: What next?

 

Big BenBig Ben and Westminster abbey in London, England

Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.

What are the implications for the UK’s data protection regime in the form of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). Can we bin them on the 31st January with our red EU passports? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29th March 2019, with the rest coming into force on exit day (now 31st January 2020 unless something, akin to Elvis returning from the moon, happens in the next few weeks!).

With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.

The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.

The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will

  • Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
  • Give powers to the Secretary of State to determine or revoke adequacy
  • Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
  • Recognise all Binding Corporate Rules authorised before Exit Day
  • Introduce an extraterritoriality into the UK data protection regime

Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.

The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.

More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.

Ibrahim Hasan is presenting a webinar in January on this topic. These and other GDPR developments will be discussed in detail in our GDPR update workshop.

GDPR and Brexit: What next?

canstockphoto15551787-1

We are heading for a No Deal Brexit it seems (at least today!). What are the implications for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018)?  Can we bin them on the 31st October with our red EU passports? The answer is no. GDPR and the DPA are here to stay albeit there will be immediate amendments coming into force if Boris does not “pull a rabbit out of the hat.”

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29thMarch 2019, with the rest coming into force on exit day (currently 31stOctober unless something happens in the next few weeks like a General Election!).

The new regulations will only apply if we crash out of the EU without a deal. If Boris gets a deal then GDPR will apply “as is” until the end of the transitional period (currently December 2020). But no deal will mean no transitional period and changes to GDPR as we know it.

The current (EU) version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The new regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

In a no deal scenario, the UK will immediately become a third country under GDPR and so EU Data Controllers will not be able to transfer data to the UK unless additional safeguards are in place. The regulations deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly. However the UK government has acknowledged that there would be no prospect of a positive adequacy decision in the foreseeable future.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context.Amongst other things, the new regulations merge this part into the UK GDPR.

All Data Controllers and Processors need to assess their EU/UK data flows and think what measures they can put into place to ensure continuity post No Deal Brexit.

The uncertainty around Brexit means that it is an interesting time for Data Protection Officers and advisers. Watch this space!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

Making GDPR British: New Regulations set out the UK’s post Brexit DP landscape

On 19thDecember 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29thMarch 2019, with only one page of explanatory notes. And you though Theresa May had problems!

robert-tudor-704838-unsplash

On 19th December 2018, just when you thought that you have finally made sense of the UK’s data protection regime, the government published new regulations with the catchy title, “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.” There are sixty one pages of regulations to navigate, before 29th March 2019, with only one page of explanatory notes. And you thought Theresa May had problems!

Before you start reaching for the highlighters, marker pens and sticky notes (and maybe even smelling salts) it is important to bear in mind that the primary aim of the new regulations is “to make GDPR British” (my phrase). Yes dear readers, we will soon have our own (red, white and blue) version of GDPR. All the pain and cost of Brexit will have been worth it!

To understand the new regulations, we have to go “back to basics” (not my phrase). The General Data Protection Regulation (GDPR) came into force on 25th May 2018. Despite the UK leaving the EU on 29th March (or later – you never know! – or never, in which case ignore everything and wait for more blog posts!!!!), all EU laws, including GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.

The EU version of GDPR, which the UK is bound by until exit day, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amend GDPR to remove these references and replace them with British equivalents where applicable. From exit day this new amended version of GDPR will be imaginatively titled, the “UK GDPR”.

The new regulations also amend the Data Protection Act 2018 (DPA 2018) which must be read alongside GDPR. (Read our summary and blog post busting some of the myths).

Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). The DPA 2018 applies GDPR standards to such data whilst adjusting those that would not work in the national context. Amongst other things, the new regulations merge this part into the UK GDPR.

Other provisions to note include:

  • Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.
  • Regulation 6 introduces Schedule 3, which makes consequential amendments to other legislation.
  • Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) in light of provision made by the GDPR relating to the meaning of “consent”.

Part 3 of the DPA 2018 regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. This part will continue to apply, even after exit day, to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc. Some minor amendments will be made to reflect the UK GDPR. Similarly Part 4 of the Act (processing of personal data by the Intelligence Services) and Parts 5 and 6 (Information Commissioner Powers and Enforcement) will remain in force.

The new regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. However for the lawful transfer of personal data from the EU into the UK without additional safeguards being required, the UK will need to apply to the EU for adequacy status and join a list of 12 countries. These regulations attempt to make the UK version of GDPR as robust as the EU version. We will have to wait and see if the EU agrees.

The new regulations are currently in draft (you can follow their progress here). If approved they come into force on exit day, which is currently scheduled to be 29th March 2019, although it could be later. With all the uncertainties over the Brexit deal, I would not get the markers out just yet nor tear up your Act Now GDPR handbook!

STOP PRESS – The Regulations were made on 28th February 2018 and will come into force as set out in Regulation 1.

If you want to know more about the new regulations, Ibrahim Hasan is presenting a webinar soon.

Make 2019 the year you achieve a GDPR qualification. Our next few GDPR Practitioner Certificate courses are almost fully booked!

GDPR is here to stay but what happens next?

It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.

On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:

“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”keep-calm-and-prepare-for-the-gdpr

As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.

This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.

GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:

  1. Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
  2. Reviewing compliance with the existing law as well as the six new DP Principles.
  3. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
  4. Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
  5. Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.

Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.

The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”

Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.

We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits. 

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

Data Protection Reform after Brexit. Does GDPR still matter?

gdprAccording to the new Prime Minister “Brexit means Brexit.” But what does Brexit mean for UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The short answer is keep calm and carry on.

GDPR received formal adoption by the European Parliament in April 2016 and was published on 4th May in the Official Journal. This means that it will be directly applicable throughout EU member states (without the need for implementing legislation) from 25th May 2018. Following the referendum result, you might be forgiven for thinking that you can shred your copy of the Regulation or indeed cancel your place on our very popular GDPR workshop.

The UK may have voted to leave the EU but formal divorce proceedings cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed Secretary of State for Exiting the European Union, David Davis, has said Article 50 should be “triggered before or by the beginning of next year.” Therefore the UK could leave the EU by December 2018 at the earliest. Consequently there would be at least six months where UK Data Controllers would have to abide by all the provisions of GDPR. In reality exiting the EU could take much longer than two years and so we could be stuck with GDPR for much longer.

In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the Information Commissioner’s Office (ICO), released a statement saying:

“If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

In a speech on 4th July 2016 the then Minister for Data Protection, Baroness Neville-Rolfe, touched on the future of data protection: (HT Panopticon Blog)

One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”

The law firm, Bird and Bird, have set out the options available to the UK in terms of exiting the EU and its implications for data protection. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.

Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

Recently on the ICO’s Blog,  the message was reiterated that GDPR is still relevant and preparation must continue:

“We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”

 Data Controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years.  Many provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky.

How Act Now can help

The next two years need to be spent wisely. Training and awareness (see our poster) at all levels needs to start now. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our GDPR Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

And if you like our image, it, as well as some others are available as A3 Posters for the office for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

The GDPR Practitioner Certificate (GDPR.Cert) is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.

DP and #GDPR after #Brexit

brexit-1477615_1920

For the last six months, Data Protection experts, novices and agnostics have talked of little else but the General Data Protection Regulation, the new version of Data Protection law that will hold sway consistently across the 28 members of the European Union from the 25th May 2018.

Well, about that. 28 now becomes 27, as the United Kingdom has decided on a slim margin to vote ourselves out of the European Union, and sail off into the Atlantic. So what does this mean for the GDPR? Do we wave goodbye to the mandatory Data Protection Officer, the Right to Be Forgotten and the joys of impact assessments?

The short answer is no. The Information Commissioner has already announced that the only way forward for the UK’s creaking Data Protection legislation and its relationship with Europe is UK legislation as close to the GDPR as we can get. Every serious commentator in the Data Protection world (and all the others) are saying the same thing. The consensus is impressive but unsurprising – the redoubtable Max Schrems has proved how much creative mischief can be wrought if a country does not have a sound data protection relationship with the EU. Some of the comments coming out of the EU today make it clear how difficult it will be to achieve that relationship, so the one thing we cannot be certain of is when things will become certain.

Sooner or later, the GDPR or a close relation of it will replace the DPA in the UK. However, it is impossible to say when. Every business that offers services to EU citizens will be caught in limbo from the moment the Regulation goes live in the EU, struggling to balance the DPA in the UK and the GDPR abroad, or just succumbing to the GDPR on the basis that operating the higher GDPR standards will not cause them problems here.

In the meantime, what should organisations do? Our advice – keep your eyes peeled for the timetable for GDPR’s inception here, but look to your DP compliance now.

Consent

Whether you’re UK based or operating across the EU, the version of consent popular in the UK (implied, opt-out, buried in terms and conditions) isn’t consent. The ICO has taken enforcement action under both the DPA and the Privacy Regulations to this effect. Look everywhere that you rely on consent – you need freely given, specific and informed consent.

Fair processing

Linked to this is the issue of privacy policies and fair processing. It’s clear that the ICO does not think that long, legalistic fair processing notices are acceptable, so concentrate on communicating clearly with your customers, clients and service users.

Impact assessments

The difference between the ICO’s code on Privacy Impact Assessments and the Regulation’s requirements on impact assessments are very thin. Although the Regulation’s bold demands for Data Protection by Design (bold but not especially well explained) will only bite when we implement it, the ICO has been advocating for pro-active impact assessments in advance of new projects for a long time. We strongly advise you to look the ICO code now – it’s current good practice (and sometimes the ICO will enforce if you don’t). Moreover, it’s a dry run for the impact assessments and design principles that the GDPR will ultimately require.

Data Processors

Find every contractor and agent that your organisation does business with. Make sure there is a binding legal agreement between you and them. Like other steps we are mentioning here, this is self-preservation for the present as much for the future. If cloud computing is “your data on someone else’s computer”, then processors are “your data in the hands of someone who isn’t covered by the Data Protection Act”. Find them. Get contracts in place. Make sure they’re being followed.

Deletion

The GDPR Right to be Be Forgotten is a different beast to anything that the European courts have created under the current regime, and it is underpinned by a need to delete data from systems that process personal data. It’s well worth looking at how you might delete data and finding out where deletion / overwriting of data is difficult. When the GDPR lands, deletion will be a massive headache, but if you can’t delete now, you can’t comply with the existing Data Protection principle on retention.

Security

Every organisation needs a viable, appropriate, effective and validated security framework. Data Protection compliance under the DPA and the GDPR isn’t about incidents, it’s about effective and verified methods to prevent them, whether technical or organisational. Security isn’t everything that Data Protection is about, but there is no question that the highest penalties will still apply to poor security frameworks. The extra detail in the GDPR about security – especially what good security requires – is essential guidance and well worth implementing.

And that’s definitely not now!

BUT WHAT ABOUT….

Act Now is not predicting when the GDPR will come to the UK. Anyone who predicts confidently when it will arrive is fooling you, or themselves. The GDPR also contains a mandatory Data Protection Officer, mandatory breach notification and a whole lot else besides. It might be that the UK Government acts quickly to bring in legislation to introduce the whole package. However, while we might be confident that the GDPR is on its way, we’re not certain about when. Our advice is to work on the foundations now, and get ready to put the new GDPR structures on top when the timetable is a little clearer.

And that’s definitely not now!

Act Now continues to receive bookings for its GDPR workshops for which new dates and venues have been added. Our Data Protection Practitioner Certificate is ideal for those who want a formal qualification in this area. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

To Brexit or not to Brexit…

canstockphoto35750834

 

 

 

 

 

 

 

 

 

That is the question on everyone’s lips right now. With the EU referendum looming, the next big question is, How will the GDPR affect us should we decide to leave the EU? The majority opinion is that we will be definitely affected in some way or other by the regulation and most likely will have to adopt all of it, maybe in a slower timeframe… But there’s no escaping it!

There’s three likely outcomes should we leave the EU…

  1. We remain in the European free trade association or Economic area (EEA) of the EU similar to Norway in which case we would then be subjected to GDPR, in order to trade with the EU
  1. We leave all trade agreements and become similar to the USA – a ‘safe third country’, in which case we would have to have a suitable level of DP Regulation which for all intents and purposes will be the GDPR
  1. We completely go solo like Geri Halliwell, Robbie Williams, Zayn Malik…okay i’ll stop. Even in this scenario, we would have to make our own singles, do our own world tours… sorry, i mean have our own equivalent GDPR, or update our existing one and where better to find one? (I can sense a Blue Peter moment coming on…)

So in short… and forgive me for my Hunger Games level of enthusiasm of being selected in the games, but GDPR is coming one way or the another…The Real Question is… Are You Ready?

Let the Games Begin!

 

Act Now can Help you prepare for the regulation. We have full day courses on the regulation as well as courses available online. Please visit our website here to find out more.

 

 

%d bloggers like this: