LEGAL
DATA PROTECTION
5 key changes you need to be aware of Commercial law specialist Liz Gillingham provides a snapshot summary of developments in data protection law you should be aware of
Data protection remains a major compliance issue in terms of both risk and everyday practicalities. Get it wrong, and it’s not just your reputation that will take a hit: if you need an incentive to get it right, consider the potential to incur fines of up to €20 million or 4% of global turnover as a powerful motivator. We regularly find that data protection is a key issue in buyer due diligence and can provide a major stumbling block, particularly with many businesses not having reviewed their compliance since 2018 when the GDPR came into force. Data protection does not, however, stand still and the regulatory landscape has changed significantly in that time. Have your policies kept pace? Here are the key developments you should be aware of:
14
www.platinummediagroup.co.uk
ADEQUACY 1UK/EU DECISION
The European Commission adopted an “adequacy decision” at the end of June confirming that personal data can continue to flow freely between the UK and the EU after Brexit. Good news – and a great relief – for companies whose operations span the UK and the EU; the alternative would have required extensive changes to privacy documentation.
EW RULES ON 2 NINTERNATIONAL DATA TRANSFERS
The EU-US Privacy Shield was deemed invalid by the Court of Justice for the European Union (CJEU) last year and can no longer be relied on to validate transfers of personal data from the EU to the US.
The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and that supplementary measures might be required. The European Data Protection Board subsequently published draft recommendations on the measures needed to ensure compliance with the EU level of protection of personal data. The bottom line is that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer, and whether any additional measures are necessary.