Pragmatic advice on understanding GDPR compliance. Baseline data protection compliance assessment. Spot compliance gaps, identify meaningful risks and provide pragmatic remediation’s. Develop and assist with implementation of policies and procedures that comply with applicable laws and generate consumer, business partner and employee confidence. Advise on international date transfers. Offer a full suite of ad-hoc advice (see subservices below) or we can set-up your GDPR/data protection program (see Privacy Program creation).
- High-level data protection assessment/audit
- GAP analysis of current compliance/practices
- Highlight current risks and necessary steps
- Draft compliance plan
- Records of Processing Activities register creation & assistance
- Data Protection Policies
- Data Subjects Rights advice
- Advice on Controller’s responsibilities
- Training & Raising Awareness
- Global Transfer Solutions & PD export
- Data Sharing guidance & templates
- 3rd Party Vendor/Supplier/Procurement review
- DPb Design and Default guidance
- GDPR Security obligations
- PD Employment guidance & review
- Marketing in compliance with the GDPR
- Data Breach Management Plan
The EU General Data Protection Regulation (“GDPR”) standardized and set guidelines for the collection and processing of personal data, requiring businesses to protect the personal data and privacy of European Union (EU) citizens. Following Brexit, the UK has retained the GDPR into domestic law, which is now called UK GDPR.
Considered one of the strictest privacy laws in the world, the GDPR imposes obligations on any organisation that collects data about individuals in the UK (or the EU)002C even if a company is outside the UK (or EU.) Organisations must not only be mindful of how and what information is collected, they also need to document procedures used to safeguard data, be transparent about security measures, and ensure that sufficient adequate data processing agreements are in place.
The data the GDPR protects includes personal information that relates to an identified or identifiable individual, such as a name, address, and/or ID numbers, as well as web data such as location, IP address, cookie data, and RFID tags. ‘Special Category’ Information is also protected, including health, genetic, and biometric data, religious beliefs, membership in a trade union, political opinions, racial or ethnic data, and sexual orientation/practices: the GDPR prohibits the processing of special category data unless certain provisions are in place.
At the heart of the GDPR is the importance of privacy rights of individuals, especially in this digital age where almost everything about an individual is shared and stored online. The regulations attempt to give people, whether they are customers, clients, patients, or employees, more control over their data while outlining how organizations should collect, store, and use that data.
Health, genetic, and biometric data, religious beliefs, political opinions, racial or ethnic details, membership in a trade union, and sexual practices and orientation are considered special category data. Because of the sensitive nature of this data, the GDPR requires additional protection of this information.
Both the EU and UK GDPR have seven core data protection principles for the lawful processing of personal data.
- Lawfulness, fairness and transparency – Information must be used in a manner that is lawful, fair, and transparent. When information is given, data subjects must be told why the data is collected and how it will be used. Additionally, a company must be able to provide details to individuals about what information they have collected about them when asked.
- Purpose limitation – The purpose for collection must be identified at the point of collection and not subsequently changed unless it is compatible with the original purpose.
- Data minimisation – Ensure personal data processed is adequate, relevant, and limited to what is necessary.
- Accuracy – Keep personal data accurate and up to date.
- Storage limitation – Keep personal data in an identifiable form only for as long as needed to fulfil its original collection purpose.
- Appropriate security – Implement the Confidentiality, Integrity, Availability triad to ensure appropriate security measures protect the data. Organisations are charged with safeguarding personal information collected from their data subjects. They also must invest in a safety plan to protect this information from security breaches.
- Accountability – Organisations must be able to demonstrate their compliance.
The Information Commissioner’s Office (“ICO”) is the UK’s independent regulatory office in charge of overseeing compliance with the UK GDPR. The ICO’s significant investigative, corrective and enforcement power include the ability to:
- order Controllers and Processors to prove their GDPR compliance;
- perform a data protection audit;
- stop an organization from processing personal data;
- access premises, issue warnings, and suspend data flows to third countries;
- impose financial penalties.
Organisations are required to use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of systems and services and the personal data processed within them, test the effectiveness of such safety measures, and encrypt data and devices whenever possible.
Note, if data can be truly anonymized, then it is outside the scope of GDPR. If data cannot be anonymized, companies should consider pseudonymisation.
Those companies who violate the GDPR’s privacy and security standards face steep fines. Depending on the nature, gravity, and duration of the noncompliance, fines can be up to £17.5 million (€20 million in the EU) or 4% of annual global turnover – whichever is greater – for infringements.
In the digital era, cross-border data access, use, and exchange are needed to sustain and develop global commerce and share health and safety information. Manufacturing, retail, services, agriculture, and even medical research on COVID are all reliant on data and the global flow of that data.
Granted by the European Commission to countries outside the European Economic Area (EEA), and by the UK to areas outside of the UK and EEA, data adequacy is a status awarded to a country who has proven that it provides a level of personal data protection comparable to strict GDPR standards. Once a country has been awarded this, information is allowed to pass freely between it and the EEA or the UK without additional safeguards required.
Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission to allow for the free flow of personal data from the EU into the UK to continue past 30 June 2021, when the ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement is set to expire.
When sending personal data outside of the UK to jurisdictions (like the United States) that are not considered “adequate”, appropriate safeguards must be put in place prior to transfer in order to protect personal data the same way as it would be in the UK.
At present, an ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement allows for the free flow of personal data from the EU into the UK. It is set to expire on 30 June 2021.
Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission. In February, after nine months of assessing the UK’s domestic law and practice on personal data protection, the Commission determined that the UK does ensure essentially equivalent personal data protection to that provided under the General Data Protection Regulation (GDPR).
The next stage is for the European Data Protection Board to provide a non-binding opinion, and after taking the opinion into account, the Commission will then send the draft decision to EU Member States for formal approval: the European Commission may then adopt the decision.