It has now been a whole year since the GDPR came into force. Unfortunately, data protection compliance is an ongoing responsibility and not something that you can do once and forget about, so now is a very good time for you to ensure that you are doing everything properly.
Have you fully implemented your GDPR documentation? Are your privacy notices and policy documents being used by staff? Have you made any changes in your processes that may necessitate looking again at how compliant you are? Do you now have processes in place to ensure that you are disposing of older data in accordance with your retention policy? Have you checked whether you could shorten any of the periods that you set in that retention policy? Are you carrying out any ‘high risk’ processing which would need documenting? These are just a few of the points you should think about.
We now also have a year of post-GDPR guidance from the European Data Protection Board and the ICO that tell us how the authorities will be interpreting the law and what they will be focussing on, all of which is reason enough to carry out an annual review of what you have been doing.
After the GDPR came into force, the UK government passed the Data Protection Act 2018. While the new DPA is largely a matter of copying the GDPR into English law, there are a few specific areas that might affect you – and you can update your GDPR policies and privacy notices to make reference to this new law.
For transfers of data outside the European Economic Area (EEA), you always have to take steps to ensure that data is protected. The main exception to this is if the country that you are transferring the data to has a ‘finding of adequacy’. This is where the EU has agreed that the importing country’s data protection laws are at least equivalent to those of the EU. Happily, Japan has received a finding of adequacy, which makes it much easier to transfer data to Japan. This may make it possible to do away with standard contractual clauses.
If we go through any type of ‘hard’ Brexit, then this will have data transfer implications too. The UK would become a ‘third country’ with regard to Europe, and the default position would be that we would be unable to receive data from the EEA without measures (such as standard contractual clauses) being in place to cover data imported into the country. You should think about whether you would be impacted as part of your Brexit planning.
Training is very important. It is all very well having policies and procedures in place, but if your staff are not familiar with data handling rules, then you could have an issue. Make sure that all new staff receive guidance on what you expect from them, and existing staff have regular refreshers. It could now be the time to carry out tests of your data breach policy to ensure that people understand it and it will allow you to report any breach to the ICO within 72 hours of becoming aware of it – a regulatory requirement.
Have all of the third parties you use to process your data updated their terms and conditions to ensure that they comply with the GDPR and that you have the correct levels of protection? If not, you may be putting yourself at risk.
As the stakes are so high, it is important that you take action to avoid the consequences of breaching data protection law. Recent ICO fines have been significant, and we will be providing a summary of these shortly. If you require advice in relation to data protection, or an annual review, please contact the commercial department at 3CSCorporate Solicitors.