As many businesses have been complying with the GDPR for some time now, we are often asked about data protection compliance on an ongoing basis. This update addresses some common questions about what businesses should be doing now that initial compliance has been dealt with.

 

Q. We updated our data protection-related documentation in 2018, does that mean that we don’t have to do anything?

A. In short, no. It is important to make sure that documentation is regularly reviewed and updated where necessary even if there are no changes to the way you deal with personal data. Annual reviews are often a good idea for reasons such as:

1.  data held and the way it is processed often changes over time. To comply with data protection law, it is necessary to make sure that you adhere to information requirements. For example, you should make sure that the details of your processing activity and what legal basis or bases you rely on for processing data are set out in privacy notices. If there are changes over time, documents should be updated so that they remain accurate.

2.  there are now several years of case law and guidance from the Information Commissioner’s Office (the ‘ICO’) and the European Data Protection Board. As the GDPR is principles-based, this has helped to fill some of the gaps and provided guidance as to how it will be interpreted in practice. This means it is helpful to take a look at what you are doing and to see whether any changes can be made to your documentation.

 

Q. Should we train employees on data protection?

A. It is not uncommon for data breaches to be caused by employees, whether unintentionally or (although less commonly) intentionally. Examples include employees losing USB sticks or laptops and sending personal data to a third party that should not have access to it. This means it is very important to ensure that employees are trained regularly, particularly employees whose duties involve dealing with personal data.

If a data breach does occur and you are required to report it to the Information Commissioner’s Office, you will be asked whether the employee involved in the breach has had data protection training in the two years before the breach. Training staff is not only a good way to prevent breaches in the first place but also to show that you take data protection seriously as a business.

 

Q. Does anything need to be done concerning procedures?

A. For the reasons outlined under the first question above, keeping procedures under regular review is also a good idea. This might include carrying out reviews or audits of how you process personal data or testing your processes (such as your arrangements for handling data breaches) to make sure you are doing what you should be doing and that what you have in place works well.

There may also be other factors, such as changes to your business or Brexit-related changes, which mean that you should look at whether your procedures might need to be adapted.

 

Q. Have there been any changes to data transfers from the EEA to the UK?

A. At present, transfers of personal data from the EEA to the UK can continue temporarily for up to six months from 1 January 2021. It is hoped that there will be a UK adequacy decision that will enable data to be freely transferred to the UK from the EEA before the temporary arrangement ends.

We are now a step closer to an adequacy decision as the European Commission has released a draft decision that supports the free flow of data to the UK and says that the UK provides adequate protection for personal data. Whilst this does not guarantee an adequacy decision, the draft decision is very good news for businesses involved in transferring data from the EEA to the UK.

 

If you require assistance with ongoing compliance or if you have any questions about data protection law generally, please contact the Corporate/Commercial department at 3CS.

Amy Cunliffe-Rowe

GET IN TOUCH

3CS Corporate Solicitors

Providing solutions, not just legal advice
Contact us

GET IN TOUCH

Contact us

3CS Corporate Solicitors Ltd
60 Moorgate
London
EC2R 6EJ

3CS is based in offices in the heart of London's financial district.The nearest underground stations are Liverpool Street, Moorgate and Bank - all within 5 minutes’ walking distance.​

To view a map of where to find us, please click here.

+44(0) 204 5161 260 English (United Kingdom)

info@3cslondon.com

Please enter your name
Please enter your phone number
Please enter your email
Invalid Input
Invalid Input

Our Clients


View all our clients

Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935


Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935