For all practical purposes, the EU General Data Protection Regulation (GDPR) continues to apply in the UK despite Brexit. GDPR represents some of the toughest data protection legislation in the world. The regulator can impose fines of up to €20 million or 4% of global turnover, whichever is the higher. The frequency and quantum of such fines have been sharply increasing. In the past year, across the EU and UK combined, total penalties increased by more than 100%. Since 2018, there have been more than 800 fines, with those in the top 20 ranging from $877 million (Amazon) to $3 million. It is wise to carefully consider your company’s data protection policies.
Should we amend our data protection related documents regularly?
Yes, reviews should be carried out regularly - annual checks will usually suffice unless there are any changes concerning your data practices or business that may affect the documents, in which case you should carry out additional reviews at that time. Case law, updated guidance from authorities, and external factors such as Brexit, may also trigger the need for a revision of your documents.
Reviewing and updating your documents as necessary will help to make sure that you are complying with your legal obligations and may help to avoid any problems.
What is a data protection audit?
This is where a formal and detailed review of the data you hold is carried out, together with consideration being given to what you do with the data, where it is sent, and from where it is received. The purpose of the audit is to identify areas of risk, to ensure your processes and procedures are adequate, and to address any potential issues before they become a problem.
Many companies dealt with GDPR compliance in a rush before the GDPR came into force in 2018 and this was at a time when there was little guidance from the authorities on how the GDPR would work in practice. This means that now is a good time to stand back and review your overall data compliance situation.
Do we need to train our employees?
Yes, and regular training is very important. This helps to ensure that employees are kept aware of what to do and that new employees have the knowledge they need. Employees are also critical in minimising the risk of data breaches and ensuring that you comply with data protection law - for example, by making sure that subject-access requests are identified immediately and dealt with promptly in accordance with your procedures and the regulations.
If you are required to report a data breach to the Information Commissioner's Office (ICO) – which is, unfortunately, becoming increasingly common - you will be asked if employees and managers involved in the breach were provided with training and, if they were, when the training was carried out. Responding to say that training was carried out a long time ago or not at all, will not look good.
What is the position with the new UK Standard Contractual Clauses (SCCs)?
These are documents that permit the legal transmission of data. Following Brexit, the UK needs to adapt the wording to take into account the changed relationship between the EU and UK. The public consultation on the proposed international data transfer agreement, which is intended to replace the EU SCCs for use when transferring data from the UK has now ended. The documents will now be finalised by the ICO and then laid before parliament. After this process has been completed it is proposed that there will be separate deadlines for their adoption – 3 months in the case of new arrangements, and 21 months for existing arrangements. We will provide an update on this in due course.
It would be sensible to review your existing transfers now so that you can readily identify and prepare yourself for what you will need to do once the new transfer agreements are announced.
If you require assistance with data protection law or if you would like more information about our GDPR audits, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.