As many businesses have been complying with the GDPR for some time now, we are often asked about data protection compliance on an ongoing basis. This update addresses some common questions about what businesses should be doing now that initial compliance has been dealt with.
Q. We updated our data protection-related documentation in 2018, does that mean that we don’t have to do anything?
A. In short, no. It is important to make sure that documentation is regularly reviewed and updated where necessary even if there are no changes to the way you deal with personal data. Annual reviews are often a good idea for reasons such as:
1. data held and the way it is processed often changes over time. To comply with data protection law, it is necessary to make sure that you adhere to information requirements. For example, you should make sure that the details of your processing activity and what legal basis or bases you rely on for processing data are set out in privacy notices. If there are changes over time, documents should be updated so that they remain accurate.
2. there are now several years of case law and guidance from the Information Commissioner’s Office (the ‘ICO’) and the European Data Protection Board. As the GDPR is principles-based, this has helped to fill some of the gaps and provided guidance as to how it will be interpreted in practice. This means it is helpful to take a look at what you are doing and to see whether any changes can be made to your documentation.
Q. Should we train employees on data protection?
A. It is not uncommon for data breaches to be caused by employees, whether unintentionally or (although less commonly) intentionally. Examples include employees losing USB sticks or laptops and sending personal data to a third party that should not have access to it. This means it is very important to ensure that employees are trained regularly, particularly employees whose duties involve dealing with personal data.
If a data breach does occur and you are required to report it to the Information Commissioner’s Office, you will be asked whether the employee involved in the breach has had data protection training in the two years before the breach. Training staff is not only a good way to prevent breaches in the first place but also to show that you take data protection seriously as a business.
Q. Does anything need to be done concerning procedures?
A. For the reasons outlined under the first question above, keeping procedures under regular review is also a good idea. This might include carrying out reviews or audits of how you process personal data or testing your processes (such as your arrangements for handling data breaches) to make sure you are doing what you should be doing and that what you have in place works well.
There may also be other factors, such as changes to your business or Brexit-related changes, which mean that you should look at whether your procedures might need to be adapted.
Q. Have there been any changes to data transfers from the EEA to the UK?
A. At present, transfers of personal data from the EEA to the UK can continue temporarily for up to six months from 1 January 2021. It is hoped that there will be a UK adequacy decision that will enable data to be freely transferred to the UK from the EEA before the temporary arrangement ends.
We are now a step closer to an adequacy decision as the European Commission has released a draft decision that supports the free flow of data to the UK and says that the UK provides adequate protection for personal data. Whilst this does not guarantee an adequacy decision, the draft decision is very good news for businesses involved in transferring data from the EEA to the UK.
If you require assistance with ongoing compliance or if you have any questions about data protection law generally, please contact the Corporate/Commercial department at 3CS.