Brexit – What to do next?

The United Kingdom (UK) left the European Union (EU) in January 2020. Since then, the UK has been in a transition period which expires at the end of December 2020. Whatever new arrangements are put into place (i.e. deal or no deal) there is an impact on how UK and EU based organisations comply with data protection legislation.

What is the legal position as it stands?

The General Data Protection Regulation (GDPR) came into force into UK law in May 2018. This version of GDPR effectively became the Data Protection Act 2018. Until we complete the transition, we are still being treated as an EU country and as a result nothing really has changed until this transition period ends.

However, from the 1st January 2021 the reality is that the vast majority of organisations will become none compliant with Data Protection Law.

Organisations have to plan to remain compliant with Data Protection Law.

What is going to change after the transition?

The reality of this is that the full impact is not clear yet. However we can be confident that in any scenario all UK businesses are going to have to do a complete review of their data protection status.

The rationale behind this view is as follows:

  • The legal requirements for data transfers will change – We will no longer be in the EU and therefore a revision of personal data transfers between the UK, the EU and other countries e.g. the US will be needed. The likelihood is that current transfer arrangements may no longer be legally compliant and also new transfers will need to be properly accounted for. For example, where UK data transferred outside of the UK and where EU citizens data is processed outside of the EU, i.e. the UK or US etc.
  • EU Representatives may be required – If you are a UK based organisations that processes EU citizens data there is a strong likelihood that you will need to appoint an EU Representative in that country within the EU to represent you for data protection matters.
  • UK Representatives may be required – If you are an EU based organisations and process UK citizens data then there will be a need to appoint a UK based Representative to represent the organisations for your data protection matters in the UK.

What is the impact of these changes?

The simple impact is that most organisations if they don’t react to the change in circumstances will be breaking the law post the end of the transition period. In the UK we believe that some additional time will be given by the Information Commissioners Office (ICO) to organisations to review their position and put the necessary changes into place. This is likely to be limited, probably about 6 months. After that, they will consider this a breach of the law and will likely act accordingly. (Note – this is only our opinion and they may enforce the changes immediately).

What do we advise?

The minimum requirement for all organisations is as follows:

  • Complete a full risk assessment of the data transfers based upon the end of the transition period, this will advise you on what actually will be required to comply with the Data Protection Act 2018 (i.e. new UK-GDPR)
  • Assess the requirements for appointing Representatives if this is needed
  • Develop the necessary Standard Contractual Clauses needed to legalise the data transfers and implement the necessary contractual adjustments as required

How can we assist?

We can undertake the necessary consultancy to bridge the gap based upon a deal or no deal scenario. Please contact us for more details.

The DPO Dilemma

Do I need to engage a DPO or not? This question remains challenging for many organisations to answer.

What does the GDPR state?

In terms of the regulation the requirement for a DPO is based upon the following criteria:

  • you are a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

However, we feel that this criteria remains confusingly ambiguous for example:

  1. what is meant by large scale?
  2. what is regular in terms of the monitoring of Data Subjects?

This ambiguity is resulting in most organisations opting to ignore the requirement and avoiding the engagement of a DPO.

However, is this justified or a high risk strategy?

In our view, organisations need to take a risk averse approach, otherwise they risk breaching the GDPR and the Data Protection Act 2018.

Take our DPO Self-Assessment

Taking a risk averse approach

The Information Commissioners Office (ICO) explains what is meant by ‘large scale’ and ‘regular’ in this link.

In our view the explanation provided remains ambiguous, even the example given isn’t really offering too much clarity. That said, if your organisation is processing special data categories on any scale at all we would suggest the legal requirement is ‘likely’ to be that you need to formally appoint a Data Protection Officer (DPO).

Even if you prefer to argue the point, you probably have a ‘best practice’ requirement to appoint a DPO. For example, many legal interpretations of the Data Protection Act 2018 suggest that any processing of health related personal data requires the appointment of a DPO.

What it the impact of this?

We think this is significant for obvious reasons. For example, the following types of organisations need to engage a DPO as a matter of urgency:

  • Any public authority
  • Schools
  • Colleges
  • Universities
  • Any organisation providing children’s after school services (i.e. sports clubs)
  • Childcare Providers
  • GP Practices
  • Dentists
  • Opticians
  • Chiropractors
  • Chiropodists
  • Social Care Providers
  • Care Homes
  • IT Support Organisations (Especially those servicing any business on this list)

The above list is not exhaustive, there are many more types of organisations that would be considered to be included in the ‘legally required’ or ‘best practice’ list e.g. Accountancy firms.

How to engage a DPO.

Data Privacy Services offers a full DPO as a service offering, starting from only £58.00 + vat per month with six different levels of services available.

Data Protection Officer (DPO)

Why do I now need to have a Data Protection Officer (DPO)?

GDPR has changed the regulations around the legal requirements for employing or engaging certified Data Protection Services.

The Legal Justification

The organisation:

  • Reason No 1 – Is a public authority (except for courts acting in their judicial capacity)
  • Reason No 2 – Carries out large scale systematic monitoring of individual (for example online behavioural tracking)
  • Reason No 3 – Carries out large scale processing of special categories of data or data relating to criminal convictions and offences)

Our view on this:

We think that if you are processing large amounts of sensitive personal information or information about children then we would advocate hiring a Data Protection Officer or more likely outsourcing this to a company like ourselves.

Business Justification

All businesses are going to be asked about their levels of adherence to GDPR when bidding for new work.

Having a DPO in place demonstrates a much higher level of compliance as the DPO’s role is partly to monitor and assure your compliance on an on-going basis.  This will allow you to be much better placed to win the confidence of prospective clients that you are going to handle data privacy appropriately.

Challenges with Hiring a DPO

These resources are difficult to hire in the current market place and they command a fairly high salary, approximately £70k per annum.

Avoiding the Conflict of Interest

You have to have a DPO without a conflict of interest so that they can be senior enough but act independently as required. Therefore, typically senior management, board members, Directors, functional heads etc cannot be appointed as a DPO.

The Simple and Cost Effective Solution

The easier, cheaper and more cost effective option is to outsource this role.  Data Privacy Services offer the DPO role as a Service.

GDPR Compliance – Step by Step Guide

Step 1 – Assign Accountability

  • GDPR is a complex regulation, it needs an individual within the organisation to be accountable for compliance
  • Review the requirements for formally implementing the role of a Data Protection Officer (note this isn’t mandatory under GDPR for all processing scenarios)
  • Ensure that whoever takes accountability has the support of the organisations leadership team

Step 2 – Understand GDPR (Basic Level)

  • Research as much as you can online
  • Review the information on the GDPR Website
  • Review the FAQ’s on our web site

Step 3 – Risk Awareness

  • Ensure that the organisations senior management are aware of GDPR
  • Ensure that they understand the key risks
  • Discuss the financial risk – 4% of last years turnover or up to 20M Euro’s whichever is the greater
  • Discuss the risk to reputation, quote well know examples of how data breaches can result in loss of business and insolvency
  • Discuss the risk to new business opportunities, if you are not compliant you will find it harder to win future business

Step 4 – Complete a Readiness Assessment

  • Discuss the best way to review ‘how ready you are for GDPR’?
  • The best approach for most organisations is to seek professional help
  • Asses how your organisation is prepared in relations to the key Articles and specifically the principles of the GDPR (under Article 5)

Step 5 – Agree The Compliance Framework

  • Review the detailed out from the Readiness Assessment
  • Agree your desired target state (your GDPR compliance framework) to become compliant
  • Focus on preparing for implementing the urgent priorities

Step 6  – Complete an Inventory

  • You need to know where, how, by whom and for how long your personal data is processed
  • Focus on HR information processes to start with, i.e. the first process could be ‘new starter’.
  • Then assess all of your customer processes e.g. ‘entering customer information’ info a CRM solution
  • Then asses all of your supplier processes e.g. ‘setting up a new supplier’ in your invoicing system
  • Don’t forgot other forms of processing such as your website, CCTV, voice recording, location tracking etc.

Step 7 – Detailed Risk Assessment

  • Undertake a full detailed risk assessment of all of your key processes
  • Complete data privacy impact assessments
  • Assign priority activities for risk mitigation

Step 8 – Deliver the Priority Activities

  • These will vary organisation to organisation
  • Ensure your processing has a legal basis
  • Ensure that you can deal with access requests
  • Ensure that you can deal with data breaches (see our DPO as a Service information)
  • Ensure that your web site is compliant
  • Ensure that you have appropriate security in place
  • Ensure that your partners are aware of GDPR
  • Ensure that the data they process on your behalf is safe

Step 9 – Deliver the Medium to Long Term Objectives

  • Get all of the necessary contractual relationships in place (Processing and Model Contracts)
  • Implement all of the required policies and procedures that you require
  • Make changes to the way data privacy is managed, implement privacy by design

Step 10 – Maintain GDPR Compliance

  • Implement an annual compliance plan
  • Carry out frequent assurance review (see our DPO as a Service)
  • Review and update data privacy impact assessments
  • Carry out information security audits (see our Security Services)