First GDPR Fine Issued to a Charity

christopher-bill-rrTRZdCu7No-unsplash

On 8th July 2021, the Information Commissioner’s Office (ICO) fined the transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
In particular this led to a breach of the Articles 5(l)(f) and 32(1) and (2) of the GDPR. 

The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results.  

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. 

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal data, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as Special Category Data as mental and physical health and sexual orientation were exposed. 

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.  

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights. 

Steve Eckersley, Director of Investigations said: 

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse. 

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.” 

Up to April 2021, European Data Protection regulators had issued approximately €292 million worth of fines under GDPR. The greatest number of fines have been issued by Spain (212), Italy (67) and Romania (52) (source).  

Up to last week, the ICO had only issued four GDPR fines. Whilst fines are not the only GDPR enforcement tool, the ICO has faced criticism for lack of GDPR enforcement compared to PECR

The first ICO GDPR fine was issued back in December 2019 to a London-based pharmacy. Doorstep Dispensaree Ltd, was issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data. In November 2020, Ticketmaster had to pay a fine of £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information. Others ICO fines include British Airways and Marriott which concerned cyber security breaches.  

It remains to be seen if the Mermaids fine is the start of more robust GDPR enforcement action by the ICO. It will certainly be a warning to all Data Controllers, particularly charities, to ensure that they have up to data protection data policies and procedures.  

Act Now Training’s GDPR Essentials e learning course is ideal for frontline staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here. 

We only have two places left on our Advanced Certificate in GDPR Practice course starting in September.  

Posted in Fines, GDPR, Security, Uncategorized | Tagged , , , | Leave a comment

Advanced Certificate in GDPR Practice: A great set of first results

vasily-koloda-8CqDvPuo_kI-unsplash

After 18 months of development, working with industry experts, Act Now Training is pleased to announce the completion of its first ever Advanced Certificate in GDPR Practice course. Congratulations to all the delegates who successfully completed the course. It has been a fantastic four month journey, from the first masterclass through to results day.

The Advanced Certificate in GDPR Practice course is the the first of its kind and is proving very popular amongst practitioners. It builds on the knowledge and skills of data protection practitioners by focussing on analysing and evaluating complex  data protection issues. These skills are designed to help them interpret the legislation with greater understanding, equipping them with a skillset to tackle tricky data protection issues. 

The first group consisted of a great set of delegates, from both the public and private sector, who were fully engaged and pushed themselves. The feedback shows that they really enjoyed the innovative format and the skills being taught:

“There is no doubt that this course has pushed me and got me out of my comfort zone, but in a very positive way, I genuinely feel I have improved both my skillset and understanding of data protection on this course.” Michael Pennington, Head of Operations & Security at Health Intelligence

“ I would wholeheartedly recommend the Advanced Certificate in GDPR Practice as it is a very different course. I definitely feel more informed and confident in my role with knowledge and techniques I have learned. But perhaps more importantly I have explored new avenues of learning with the enforcement notices and watching the training videos, whilst engaging with some industry leaders in data protection and some of my peers.” Zara Harrington, Data Protection Manager and DPO, Leaders Romans Group

“The course has reignited my passion for data-protection.” Neil Murphy, Governance and Data Protection Manager, North Star Community Trust

“The format of the learning also gave me a safe space to practice new skills, to analyse the legislation and to have robust conversations with my fellow students.” Gill Rust, People’s Postcode Lottery

“Despite the hard work, the training has been enjoyable – helped hugely by the great group of DPOs who were open to listening and challenging opinions and of course, Ibrahim and Susan who were supportive throughout.”

The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. The Advanced Certificate in GDPR Practice is one of the reasons why we have been nominated for this year’s IRMS awards; Supplier of the Year and Innovation of the Year.

Ibrahim Hasan, solicitor and course director said:

“We are delighted to see the first group complete the course and with such fantastic results!  They were a pleasure to teach and their enthusiasm was encouraging. I am glad that their hard work has paid off. Their feedback has really helped us to further improve the course for the next cohorts. ”

The first five courses have been fully booked. We have added more course dates in Autumn. More information here.

Posted in Advanced Certificate in GDPR Practice, GDPR, Results, Uncategorized | Tagged , , | Leave a comment

GDPR 3 YEAR ANNIVERSARY

We are marking today’s 3rd anniversary of GDPR with a bumper giveaway. Details below.

screenshot-2021-05-25-at-10.13.44

Twitter Link – https://twitter.com/ActNowTraining/status/1397122791116361728?s=20

Linkedin Link –
https://www.linkedin.com/posts/act-now-training-ltd_gdpr-anniversary-activity-6802888481480810496-7s3H

#GDPR #Anniversary

Posted in Uncategorized | Tagged , | Leave a comment

GDPR News Roundup

So much has happened in the world of data protection recently. Where to start?

International Transfers

In April, the European Data Protection Board’s (EDPB) opinions (GDPR and Law Enforcement Directive (LED)) on UK adequacy were adopted. The EDPB has looked at the draft EU adequacy decisions. It acknowledge that there is alignment between the EU and UK laws but also expressed some concerns. It has though issued a non-binding opinion recommending their acceptance. If accepted the two adequacy decisions will run for an initial period of four years. More here.

Last month saw the ICO’s annual data protection conference go online due to the pandemic. Whilst not the same as a face to face conference, it was still a good event with lots of nuggets for data protection professionals including the news that the ICO is working on bespoke UK standard contractual clauses (SCCs) for international data transfers. Deputy Commissioner Steve Wood said: 

“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in the UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer. We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”

Lloyd v Google 

The much-anticipated Supreme Court hearing in the case of Lloyd v Google LLC took place at the end of April. The case concerns the legality of Google’s collection and use of browser generated data from more than 4 million+ iPhone users during 2011-12 without their consent.  Following the two-day hearing, the Supreme Court will now decide, amongst other things, whether, under the DPA 1998, damages are recoverable for ‘loss of control’ of data without needing to identify any specific financial loss and whether a claimant can bring a representative action on behalf of a group on the basis that the group have the ‘same interest’ in the claim and are identifiable. The decision is likely to have wide ranging implications for representative actions, what damages can be awarded for and the level of damages in data protection cases. Watch this space!

Ticketmaster Appeal

In November 2020, the ICO fined Ticketmaster £1.25m for a breach of Articles 5(1)(f) and 32 GPDR (security). Ticketmaster appealed the penalty notice on the basis that there had been no breach of the GDPR; alternatively that it was inappropriate to impose a penalty, and that in any event the sum was excessive. The appeal has now been stayed by the First-Tier Tribunal until 28 days after the pending judgment in a damages claim brought against Ticketmaster by 795 customers: Collins & Others v Ticketmaster UK Ltd (BL-2019-LIV-000007). 

Age Appropriate Design Code

This code came into force on 2 September 2020, with a 12 month transition period. The Code sets out 15 standards organisations must meet to ensure that children’s data is protected online. It applies to all the major online services used by children in the UK and includes measures such as providing default settings which ensure that children have the best possible access to online services whilst minimising data collection and use.

With less than four months to go (2 September 2021) the ICO is urging organisations and businesses to make the necessary changes to their online services and products. We are planning a webinar on the code. Get in touch if interested.

AI and Automated Decision Making

Article 22 of GDPR provides protection for individuals against purely automated decisions with a legal or significant impact. In February, the Court of Amsterdam ordered Uber, the ride-hailing app, to reinstate six drivers who it was claimed were unfairly dismissed “by algorithmic means.” The court also ordered Uber to pay the compensation to the sacked drivers.

In April EU Commission published a proposal for a harmonised framework on AI. The framework seeks to impose obligations on both providers and users of AI. Like the GDPR the proposal includes fine levels and an extra-territorial effect. (Readers may be interested in our new webinar on AI and Machine Learning.)

Publicly Available Information

Just because information is publicly available it does not provide a free pass for companies to use it without consequences. Data protection laws have to be complied with. In November 2020, the ICO ordered the credit reference agency Experian Limited to make fundamental changes to how it handles personal data within its direct marketing services. The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data. Experian has lodged an appeal against the Enforcement Notice.

Interesting that recently the Spanish regulator has fined another credit reference agency, Equifax, €1m for several failures under the GDPR. Individuals complained about Equifax’s use of their personal data which was publicly available. Equifax had also failed to provide the individuals with a privacy notice. 

Data Protection by Design

The Irish data protection regulator issued its largest domestic fine recently. Irish Credit Bureau (ICB) was fined €90,000 following a change in the ICB’s computer code in 2018 resulted in 15,000 accounts having incorrect details recorded about their loans before the mistake was noticed. Amongst other things, the decision found that the ICB infringed Article 25(1) of the GDPR by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (aka DP by design and by default). 

Data Sharing 

The ICO’s Data Sharing Code of Practice provides organisations with a practical guide on how to share personal data in line with data protection law. Building on the code, the ICO recently outlined its plans to update its guidance on anonymisation and pseudonymisation, and to explore the role that privacy enhancing technologies might play in enabling safe and lawful data sharing.

UK GDPR Handbook

The UK GDPR Handbook is proving very popular among data protection professionals.

It sets out the full text of the UK GDPR laid out in a clear and easy to read format. It cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. The handbook uses a unique colour coding system that allows users to easily identify amendments, insertions and deletions from the EU GDPR. Relevant provisions of the amended DPA 2018 have been included where they supplement the UK GDPR. To assist users in interpreting the legislation, guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted. Read what others have said:

“A very useful, timely, and professional handbook. Highly recommended.”

“What I’m liking so far is that this is “just” the text (beautifully collated together and cross-referenced Articles / Recital etc.), rather than a pundits interpretation of it (useful as those interpretations are on many occasions in other books).”

“Great resource, love the tabs. Logical and easy to follow.”

Order your copy here.

These and other GDPR developments will also be discussed in detail in our online GDPR update workshop next week.

Posted in AI, Data Breach, Data Sharing, EU, Security, Uncategorized | Tagged , , | Leave a comment

Act Now Nominated for IRMS Awards

Act Now Training is pleased to announce that it has been nominated for this year’s Information and Records Management Society (IRMS) awards in two categories. 

Each year the IRMS recognises excellence in the field of information management with their prestigious Industry Awards. These highly sought-after awards are presented at a glittering ceremony at the annual Conference following the Gala Dinner.

Act Now has been nominated for the Supplier of the Year award. In 2020, during the Coronavirus Pandemic, we have been at the forefront of helping the IG/DP community stay abreast of developments and rise to the challenges of working from home and continuing to learn. We ran a number of free webinars on a range of topics including cyber security, risk management and the CCPA. 

During the Pandemic, we developed our online courses from the ground up to ensure they provide the same interaction and quality as classroom workshops. Our flagship GDPR Practitioner Certificate course has been redesigned for the online learning environment but still maintains the focus on delegate interaction, engagement and tutor support. Since April 2020, we have run fifteen of these courses all of which have been fully booked. It is probably one of the most popular GDPR certificate courses.

Throughout 2020, Act Now has promoted information law/information governance beyond these shores. We have trained professionals in the financial sector for the NAPCP conference in Las Vegas and launched our US CCPA and Dubai privacy programmes. This has helped raise the profile of our profession.

We have also continued to raise the media profile of Information Governance in 2020. Ibrahim Hasan, director and solicitor, was interviewed twice by the BBC regarding the NHS Test and Trace app. He also worked with the BBC to help ensure that care home records were removed from a site to prevent harm to patients and relatives.  

Act Now has also been nominated for the Innovation of the Year award for our new Advanced Certificate in GDPR Practice. This course is for data protection practitioners who wish to advance their GDPR practice and knowledge. The syllabus has been designed in consultation with experienced data protection practitioners from both the public and private sectors. It consists of a series of challenging masterclasses in which delegates analyse and evaluate thought-provoking case studies designed to help them interpret complex data protection issues. 

This is the only advanced GDPR certificate course on the market and is proving very popular amongst practitioners. Our first three courses are fully booked. More information here.

All IRMS members are eligible to vote in the IRMS awards. The deadline is 2nd April 2021. Vote now for your favourite training company.

Our new UK GDPR Handbook is still available to pre order at a special discounted price. 

Posted in GDPR, Uncategorized | Tagged , , | 2 Comments

Covid Testing in Schools and Data Protection

element5-digital-OyCl7Y4y0Bk-unsplash

By Neil Murphy

Pupils in England return to school today. Secondary schools have been given the additional task of facilitating on-site covid tests. Not only do they need to be trained, ready to supervise this testing, they also need to be up to speed with their data protection responsibilities as set out in the new UK GDPR.  

Many schools have outsourced their Data Protection Officer (DPO) role to a consultant or have bought the service from the local authority. The DPO will be well placed to advise them on what needs to be done to ensure GDPR compliance. In any event, the Department for Education guidance is a good starting point. However, with their primary focus being on the medical issues of which type, the frequency of use and how to deliver the tests, some schools may still struggle with their data protection responsibilities.

Let’s start with the legal basis of processing. The tests are not mandatory and so consent is required for both the testing and the processing of the pupils’ personal data. Head teachers are already warning of problems getting parental consent for the tests, let alone processing the data. The DfE have advised that such data can still be processed under UK GDPR Article 6(1)(e) (public task) although the legislation schools may wish to refer to will vary for each type of school (e.g. maintained school, independent school, academy etc.).
Health data is Special Category Data under GDPR and so, additional to Article 6, an Article 9 condition is required to justify the processing of such data. Explicit consent can be used or it can be argued that the processing is in the public interest on public health grounds (Article 9(2)(i)) to tackle the spread of Covid-19.

The method of gathering the initial parental consent will of course be an issue given the size of the school cohort. A clear letter which gives an overview of the type of testing to be delivered on-site, how to perform the test and how the school plans to deliver the testing (e.g. dedicated areas or times) can alleviate anxieties. There is a YouTube clip of a school that participated in the pilot testing and NHS guidance on how to take the test.
Letters could hyperlink to these and help fully inform parents what it is they are consenting to. A simple form can then be used to reiterate, not only that consent can be withdrawn at any time but, that the pupils own wishes will always be respected.
Some schools have used Google or Microsoft Forms to avoid being inundated with paper forms and emails.

privacy notice is also required to explain how the test result data will be processed by the school. This should be referenced in the above mentioned letter and should not only indicate the categories of personal data which the school needs to temporarily hold (and the legal basis etc.) but also that NHS Test and Trace will become the Data Controller once the test information is passed to them i.e. Schools are only being asked to help facilitate the tests (which would otherwise be taken directly by the pupil). Some schools have used the privacy notice and letter to parents to make it clear that the school will help speed up the testing process by pre-populating the test forms with some basic personal data they hold (e.g. name, age, gender, address, country of residence).  

Data collated will only need to be retained until the third on-site test is completed but the test results from either on-site testing or home testing (along with a log of who has been given a home-testing kit) will, in line with DfE guidance, be retained no longer than 12 months from the date of the last entry into the register which is of course dependent on the pandemic and how long the testing continues.

These testing arrangements only need to be in place for a short period until testing is undertaken at home. Schools will then need to devise a simple method of receiving the test results from pupils/parents on the morning the home test is taken. They will also need to advise them on where and how long this information is recorded. The initial privacy notice could also address this second phase.  

All personal data should be held in a secure location with password protection; accessible only to those with a need to know. A dedicated member of staff should ideally oversee the routine deletion of all personal data when it is no longer required. Staff should at the very least have a basic level of awareness of the key provisions on GDPR and how to keep data safe. Given that the shortness of this project there is no need to purchase additional software or do a full Data Protection Impact Assessment. However, the data protection implications need to be considered seriously by every school. 

Neil Murphy is a Data Protection Officer for a multi academy trust and currently studying for the Advanced Certificate in GDPR Practice. Act Now Training’s GDPR Essentials e learning course is ideal for school staff who need to learn about data protection in a quick and cost-effective way. You can watch the trailer here

Posted in Uncategorized | 2 Comments

Vaccine Passports and Data Protection: Ibrahim Hasan’s BBC Essex Interview

fringer-cat-hddmxlpafgo-unsplash-1

Vaccine passports are very topical at present. Our director, Ibrahim Hasan, was interviewed on BBC Essex (on 2nd March 2021) about the privacy and data protection implications. 

Listen again here: https://www.dropbox.com/s/k4hxbrfziuc1aom/GDPR%20and%20Vaccine%20Passports.mp3?dl=0

More interviews by Ibrahim here: https://actnowtraining.wordpress.com/2020/09/14/ibrahim-hasan-on-the-bbc/

Posted in COVID-19, GDPR, Uncategorized | Tagged , , , | Leave a comment

Introducing the New UK GDPR Handbook

GDPR Handbook Front Cover with Tabs cropped

Act Now Training is pleased to announce the launch of the new UK GDPR Handbook.

The handbook is designed for data protection practitioners and legal advisers who require a complete guide to the UK Data Protection regime post Brexit.

The UK’s exit from the European Union has resulted in changes to the principal UK Data Protection legislation namely the EU General Data Protection Regulation 2016 (EU GDPR) and the Data Protection Act 2018 (DPA 2018). The revision of the GDPR, pursuant to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, is now known as the ‘UK GDPR’.

The UK GDPR Handbook sets out the full text of the UK GDPR laid out in a clear and easy to read format including tabs for ease of navigation. Tabs have been the most requested feature from user feedback of our popular EU GDPR Handbook.

The Handbook cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. Amendments, insertions and deletions (made by the 2019 regulations and shown in the Keeling Schedule) have been clearly indicated, using a colour coding system, to allow users to easily identify what has been changed. Relevant provisions of the amended DPA 2018 have been included where they contribute to the further understanding of the UK GDPR. Guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted to assist users in interpreting the legislation.

Act Now has sold over 3000 copies of the EU GDPR Handbook. This new publication will be a valuable addition to data protection practitioners’ libraries. Ibrahim Hasan, the editor of the UK GDPR Handbook, said:

“I am really pleased with the publication of the UK GDPR handbook. My team and I have tried to produce a clear and easy to follow publication which will help practitioners navigate their way around this complex legislation.”

SPECIAL PRE ORDER PRICE

The UK GDPR Handbook will soon be on sale at £54.95 plus p&p.

We have a special price of only pre order price of £44.95 plus p&p until 12th March 2021 for the first 500 copies. Orders will be shipped from 22nd March 2021. Order now here.

Act Now will be donating £1 for each handbook sold to our chosen charity Woodgate Community Food based in Leicester.

Delegates on  the Act NowAdvanced Certificate  in GDPR Practice  will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.

Posted in GDPR Handboook, Handbook, UK GDPR, Uncategorized | Tagged , | Leave a comment

The New ICO Data Sharing Code of Practice

beatriz-perez-moya-XN4T2PVUUgk-unsplash

The sharing of personal data between organisations has many public and business benefits. However there is much confusion about what the law allows, particularly the General Data Protection Regulation (GDPR).

In December, the Information Commissioner’s Office (ICO) finally published its Data Sharing Code of Practice following a consultation exercise. The code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the GDPR and the Data Protection Act 2018 (DPA 2018). In particular the code:

  • updates and reflects key changes in data protection law since the last data sharing code was published 
  • explains new developments and their impact on data protection;
  • references new areas for organisations to consider; and
  • helps organisations to manage risks in sharing data, which are magnified if the quantity of data is large

There is a useful section in the code addressing some misconceptions about data sharing and barriers to sharing. It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency and the ethics of data sharing. Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector.

The code contains a section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”

This is a statutory code of practice under section 121 of the DPA 2018. Under section 127, the Information Commissioner must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.

Elizabeth Denham said the COVID-19 pandemic has brought the need for fair, transparent and secure data sharing into even sharper focus:

“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.

That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”

Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.

Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources, including:

  • Data sharing myths busted 
  • Data sharing code: the basics for small organisations and businesses
  • Data sharing FAQs for small organisations and businesses
  • Case studies  
  • Data sharing checklists 
  • Data sharing request and decision forms template  
  • Sharing personal data with a law enforcement authority toolkit
  • Guidance on sharing personal data with law enforcement authorities
  • Guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes

Ibrahim Hasan will be presenting a one hour webinar on the new data sharing code. These and other GDPR developments will also be discussed in detail in our online GDPR update workshop.

Posted in Uncategorized | 1 Comment

So we have a Brexit Trade Deal. What now for GDPR and international transfers?

blur cartography close up concept

Photo by slon_dot_pics on Pexels.com

So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

Posted in Brexit, International transfers | Tagged , , | Leave a comment