It's that special time of year again – Data Privacy Day! Whilst it may take a backseat to some of the more mainstream days of celebration throughout the year (probably due to the close proximity to Christmas and New Year's Day), Data Privacy Day is an important time to reflect on your organisation's privacy and data protection processes and consider whether these reflect best practice (or even just 'good' practice) to ensure that you are, and remain, compliant with the current Data Protection regime.

The significance of Data Privacy Day is not to be understated and there has been a monumental shift in attitudes to protecting data subjects' rights since 2018. There was a flurry of activity around 'GDPR' when the EU General Data Protection Regulation came into force on 25 May 2018 and since then:

  • the ICO has issued a multitude of fines – some reaching up to £20m;
  • Brexit has led to the UK transitioning to the 'UK GDPR';
  • the ICO has approved an International Data Transfer Agreement to allow personal data to be exported outside of the UK to third countries; and
  • further changes are now on the horizon. The Data Protection and Digital Information (No.2) Bill (DPDI) is now under review by the House of Lords and the DPDI has the aim of further increasing data protection and security measures across the UK.

It is therefore a good time to dust-off your Privacy Notices and policies and check that they are up to date and reflect current practices. Mapping where personal data comes into your organisation, what it is used for and where it goes is critical to being able to demonstrate your compliance to the ICO. You should also check that you have the right paperwork in place with joint data controllers, processors and sub-processors – particularly in relation to the lawfulness of the EU Model Clauses for international data transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.