The flurry of activity surrounding the introduction of GDPR in May 2018 was intense and although the dust settled slightly, the last year has been an exceptionally eventful one from a data protection perspective. As we reach the third anniversary of GDPR, we have highlighted the key data protection issues for organisations in Northern Ireland in 2021 below.
Following the UK's exit from the EU on 1 January 2021, we are operating under the Data Protection Act 2018 and UK GDPR. As a result, the UK is now a 'third country' for GDPR purposes. This means that it requires an adequacy decision from the EEA for personal data transfers to continue from the EU to the UK. Adequacy means that the EU is satisfied that the UK's data protection laws provide a level of protection that is basically equivalent to data protection under EU law.
A bridging mechanism was introduced for six months which expires at the end of June 2021 but the signs are good that adequacy will be granted as the EU Commission has approved adequacy and the EU Parliament has adopted a text on the UK adequacy agreement. Over time however, it is likely that our data protection regime in the UK may diverge and the EU will review the UK's data protection laws again in 2025.
In addition, under UK GDPR, we can now make our own adequacy decisions and to date, the UK has granted adequacy to the same countries that have been granted adequacy by the EU Commission and also the EU itself, meaning that data transfers from the UK to the EU can proceed with no difficulty.
- Schrems II
The Schrems II ruling from the Court of Justice of the European Union (CJEU) in July 2020, further complicated the transfer of data with a ruling that invalidated the transfer of data from the EU to the US, relying on the Privacy Shield (The Privacy Shield was the legal basis on which over 5,000 companies relied to transfer personal data from the EU to the U.S. in a compliant manner). Schrems II also questioned the use of Binding Corporate Rules and Standard Contractual Clauses (SCCs) as transfer mechanisms and if using either mechanism to transfer, it is now necessary to implement additional safeguards to ensure that data subjects rights will be respected and that they have a right of redress.
What does this mean for NI businesses? Given that decisions of the CJEU handed down before 31 December 2020 remain binding in the UK, Schrems II is part of UK law and the Privacy Shield is invalid in the UK. Organisations in the UK relying on SCCs to transfer data to the US must therefore undertake a risk assessment and if necessary, implement additional safeguards to protect data subjects. The Information Commissioner in the UK has also indicated that it will be introducing new SCCs – so watch this space.
Despite the pandemic, data protection laws have not been relaxed and must continue to be complied with. The UK Data Protection Supervisory authority and the Information Commissioner's Office (ICO), has some useful resources and guidance on managing data during the COVID-19 pandemic. Recognising that organisations will need to continue to share information, the ICO is clear that data protection laws won't stop organisations doing so, provided it is proportionate and not excessive. Helpfully, the ICO has set out six data protection steps for organisations which sets out the key principles that need to be considered around the use of personal information:
- Only collect and use what is necessary;
- Keep it to a minimum;
- Be clear, open and honest with staff about their data;
- Treat people fairly;
- Keep people's information secure;
- Staff must be able to exercise their information rights.
As external factors continue to evolve, it will be interesting to see how the UK Data Protection landscape changes in the coming year. In the meantime, there are some immediate practical steps that you can consider for future planning and compliance:
- Do you need to appoint an EU based representative? If you don't have an office, branch or other establishment in the EU, but offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU, then you may need to appoint an EU representative. You may also need to identify a lead supervisory authority in the EU.
- Do you need to update your policies, privacy notices, and other data documentation? References to GDPR can be replaced by UK GDPR and you may need to refer to your EU representative. If you offer goods or services to, or monitor the behaviour of, EU residents, you must also comply with EU GDPR, and should therefore also reflect this in your documentation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.