Untangling data protection policy, post-Brexit.
The General Data Protection Regulation was the result of the biggest overhaul in European data protection legislation in 20 years. GDPR sought to standardise data privacy across all EU member states along with those doing businesses within the European Union or with its citizen’s.
Covering any forms of data that could be used to identify an individual, the new laws gave individuals more rights and far more control of what happened to their data. Enterprises of all scales invested significant amounts of time, effort and resources to ensure that they were full compliant by the time GDPR became law in May 2018.
The UK officially left Europe on 31st December 2020, so do UK businesses need to abide by the same data privacy laws? Company directors have been left confused – what exactly are your responsibilities?
Does GDPR still apply now the UK has left the EU?
Almost every businesses holds information on its customers or employees – without data, it would be impossible to trade. Businesses have legal responsibility to protect that sensitive information. Data and adhere to the legislation.
As the UK is no longer an EU member state, you may be thinking that the previous European regulations no long apply – and in part, you would be right.
At the end of the transition period on 31st December 2020, GDPR no longer applied in the UK. However, from 1st January 2021, the UK merged the Data Protection Act 2018 with a UK-specific amended version of GDPR. This new law is known as UK GDPR.
For UK business, much will remain the same as it incorporates the vast majority of EU GDPR, with a few changes. For example, there is a more limited definition of personal data and the rights for Subject Access Requests (SAR’s) can be waived if they significantly constrain an organisations legitimate need. Although, there is certainly one change to be aware of – the maximum fine the Information Commissioner’s Office (ICO) can issue is now greater than the 20 million Euros or 4% annual global turnover of EU GDPR– this has increased to 17.5 million pounds.
If you are a UK business and perform transactions with European Union or if you process any data belonging to EU nationals, you will still be governed by EU GDPR, as well as the new UK GDPR data privacy laws. If you solely do operate in the UK and only have UK customers, then only the UK GDPR applies.
The EU law is applicable to the data for EU citizen no matter where the processing takes place. For example, if your servers are located outside of the EU. This was the reason global social media giant, Facebook, ended up in hot water in 2015.
The ICO remains the lead supervisory authority with the power to fine any UK enterprise that fails protect company data adequately. It not only has the power to issue a fine, the ICO can also place ban on data processes or suspend a company’s ability to transfer data to another country. Further restrictions placed on business operations can damage reputation and may mean you can no longer serve your customers. In short, a data breach can be catastrophic.
How do you ensure you remain compliant?
Whilst the huge fines imposed make the headlines, such at the £20 million penalty issued to British Airways in 2018, the thought of EU and UK GDPR compliance doesn’t need to fill you with terror.
The ICO are there to help, they have comprehensive guides and checklists that are available to download. There are three relatively simple steps that enterprises of all sizes can take for peace of mind and ensure you remain compliant.
1 – Review.
GDPR came into force three years ago so whether you solely do business within the UK, the EU or both, it is always a good idea to regularly review your operations. A risk assessment to help you make informed decisions.
Revisit how your business processes personal data, check that processing have the appropriate legal basis and that it is relevant and necessary. Could the same purpose be achieved in a less intrusive way? Not only does all data need additional resources to secure it, the ICO can impose fines for leaked data, which wasn’t needed to perform that function. Only gather the data you need.
UK businesses are responsible for verifying, which legislation and laws are applicable to them and the ways they process data along with the identifying the appropriate lead supervisory authority.
If you provide goods, services or have many EU customers, you will need to appoint an EU Representative within each EU country or EEA member state where the individuals reside. This is required in addition to the approved agreements relating to cross-border data transfers.
This is a company, which is either controlled by the UK enterprise or recruited to act on your behalf when it comes to GDPR related data requests, such as SAR’s. Similarly, an EU business would require a UK Representative.
2 – Document.
UK organisations must amend their documentation to align it with the requirements of the EU and UK GDPR.
You will need to update policies, procedures and documentation relating to your data processing to ensure they reflect the relevant changes in the law post-Brexit. You’ll need to reassess your privacy policy, cookie policy and website banner. Be open about these; publish these on your corporate website to enhance your reputation. You should also ensure that UK GDPR is included within your cybersecurity strategy and Incident Recovery Plan.
Your data processing registers should not only include the ‘who, what, where, why and how’, it should detail security measures and record which of the six legal bases applies for each data process. You should also identify the conditions for processing special category data, such anything relating to an individual’s health, race or religion. Should a data breach occur detailed records would help you as you will need to notify the ICO and/or European Data Protection Supervisor (EDPS) within 72-hours of the incidents discovery.
It is always a good idea to appoint a Data Protection Officer within the business to take overall responsibilities for data security issues, whether this is a specific role or is overseen by the CISO.
UK-EU data transfers.
The EU GDPR restricts data transfers to third countries, outside the EU GDPR zone. For the first six-months of 2021, the UK awaited the European Commission adequacy decision relating the security of UK-EU cross-border data transfers. In June 2021, the Commission approved transfers between EU, EEA and UK organisations without restriction, so long as all enterprises conform to the EU GDPR laws.
Businesses are responsible for ensuring that their partners adhere to the regulations. The best way to update contracts via a Data Processing Agreement to clarify the security measures required.
Data transfers outside of the EU and EEA.
Extra safeguards are required for businesses that transfer data outside of the EU, for example, U.S-based search engine companies. Standard Contractual Clauses (SSC’s) govern how the receiving organisation securely handles the information, for which you are the owner. These should already be in place but it is essential that these are reviewed and updated now Brexit has been completed.
3 – Delete.
Any vulnerability within your IT infrastructure can lead to a data leak. The cybersecurity risk is ever evolving and hackers are getting increasingly clever. It is vital that we don’t gift them sensitive personal data, which is held upon old or redundant IT equipment.
One of the key challenges for data governance is improper or incomplete data erasure of redundant IT assets. Technology has become such an integral part of our day-to-day lives that we almost forget that our devices and the growing network of the Internet of Things all hold regulated data along with the importance of secure IT asset disposal. Data that if exposed can result in a substantial fine.
Your partnership with your ITAD supplier will form part of your enterprise cybersecurity plan. IT asset disposal companies provide GDPR data destruction certification for each hard drive, desktop, server or data centre decommissioning. This supplies an IT chain of custody and a paper-trial as written evidence that you have acted within the law.
Professional data destruction will guarantee that your organisation remains fully GDPR compliant, along with ensuring you comply with WEEE regulations and contribute to the circular economy as most ITAD companies have zero-landfill policies. Sustainability is great for business. Environmentally friendly ITAD, and often free IT asset disposal, will also demonstrate a positive ethical attitude to those you do business with.
Data protection legislation is not well known for being easy to understand; Brexit only compounded this, along with the six-month bridging mechanism agreed in the trade deal regarding cross-border data flows.
Time spent ensuring GDPR compliance in 2018 has not been wasted. Although the majority of the same laws and regulations apply, all UK businesses must reassess the specific ways they process data in line with the changes to make sure they conform to the correct legislation – whether this is just UK GDPR, EU GDPR – or both.
Reviewing and documenting all procedures relating to processing and data destruction, is not only an essential part of compliance, but it also demonstrates transparency and your commitment to customers, supply chain and data protection authorities. Whether using a secure sharing platform rather than email or ensuring you have an ITAD chain of custody certification for each end of life IT asset, a ‘privacy by design’ approach, which incorporates data protection into all business operations will boost your reputation and ensure that you remain fully complaint with the both GDPR legislations.
Contact us today on 0161 777 1000 or visit tier1.com to find out more about how we can help with GDPR destruction of data, environmentally friendly ITAD, or our data wiping services.
Resources.
The Information Commissioner’s Office, The Focus Group, IT governance, GDPR Associates, proxyclick.com, NAQ, Meta Compliance, Active Mind, dataprotection.ie, European Data Protection Supervisor