6 minute read
Data protection
DATA PROTECTION 5 key changes you need to be aware of
Commercial law specialist Liz Gillingham provides a snapshot summary of developments in data protection law you should be aware of
Data protection remains a major compliance issue in terms of both risk and everyday practicalities. Get it wrong, and it’s not just your reputation that will take a hit: if you need an incentive to get it right, consider the potential to incur fines of up to €20 million or 4% of global turnover as a powerful motivator.
We regularly find that data protection is a key issue in buyer due diligence and can provide a major stumbling block, particularly with many businesses not having reviewed their compliance since 2018 when the GDPR came into force. Data protection does not, however, stand still and the regulatory landscape has changed significantly in that time. Have your policies kept pace?
Here are the key developments you should be aware of: 1UK/EU ADEQUACY
DECISION
The European Commission adopted an “adequacy decision” at the end of June confirming that personal data can continue to flow freely between the UK and the EU after Brexit. Good news – and a great relief – for companies whose operations span the UK and the EU; the alternative would have required extensive changes to privacy documentation.
2NEW RULES ON
INTERNATIONAL
DATA TRANSFERS
The EU-US Privacy Shield was deemed invalid by the Court of Justice for the European Union (CJEU) last year and can no longer be relied on to validate transfers of personal data from the EU to the US. The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and that supplementary measures might be required. The European Data Protection Board subsequently published draft recommendations on the measures needed to ensure compliance with the EU level of protection of personal data.
The bottom line is that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer, and whether any additional measures are necessary.
3REQUIREMENT
TO APPOINT AN EU
REPRESENTATIVE
The GDPR applies to organisations outside the EU where they carry out business in the EU and requires those businesses (with a few exceptions) to appoint a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
Post-Brexit, UK businesses carrying on business in the EU have to appoint a representative in the EU for data protection purposes, and EU businesses carrying on business in the UK have to appoint a representative in the UK. That requirement works both ways: any company not established in but offering goods or services to the UK must appoint a representative in the UK. Here, you need to remember that what seems like an administrative nicety can come with a hefty price: just a few months ago, the Dutch Data Protection Authority fined a non-EU website provider €525,000 for failing to appoint an EU representative. To reinforce the point, the authority also set a 12-week deadline for the business to remedy the situation – imposing continuing fines of €20,000 for every two weeks that it remained in breach (up to €120,000). 4 NEW EU STANDARD
CONTRACTUAL CLAUSES
In June 2021, the European Commission published new SCCs (the New Clauses). Businesses which operate in the EU and rely on the old SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by December 27th 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from September 27th 2021.
The New Clauses are not currently valid under UK law and cannot be used to legitimise the transfer of personal data out of the UK, but UK businesses dealing with EU customers and suppliers may be asked to enter into them and so need to be aware of the change.
You can find more detail on this particular area on our website by clicking this link – New rules for international data transfers.
5NEW EU PROCESSOR
CLAUSES
Finally, the EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR. These are not mandatory, but you may find them useful when engaging a processor.
The world is increasingly interconnected and reliant on the transfer of data, particularly cross-border. As a result, data protection law is continually changing and the penalties for non-compliance remain high. We recommend that you carry out regular checks every couple of years to ensure that your compliance measures are up to date and have kept pace with the changing regulatory environment.
Liz Gillingham is a Senior Associate in DMH Stallard’s Corporate and Commercial team and can be contacted on 01483 467430 or by email at liz.gillingham@dmhstallard.com dmhstallard.com
SURREY BUSINESS AWARDSCATEGORIES
❛❛ I am absolutely delighted and incredibly proud to have won Businessperson of the Year. There are so many fantastic businesses in Surrey and I was very honoured to be a part of it...❜❜ Giles Thomas of the Manor Collection, Businessperson of the Year 2019 SURREY BUSINESS AWARDS 2021 2021 FREE TO ENTER Chamber Member of the Year Employer of the Year Business Growth Award Most Sustainable Business Professional Services Award Best Customer Service CELEBRATING THE ACHIEVEMENTS OF THE COUNTY’S BUSINESSES Business Innovation of the Year Business Pivot Award Businessperson of the Year Community Hero Award VIEW CATEGORIES AND ENTER ONLINE International Business of the Year WWW.SURREYBUSINESSAWARDS.COM Start-up of the Year Micro Business of the Year DEADLINE FOR ENTRIES SME Business of the Year SEPTEMBER 1ST 2021 AWARD CEREMONY Large Business of the Year NOVEMBER 18TH 2021 Company of the Year
OF THE COUNTY’S BUSINESSES VIEW CATEGORIES AND ENTER ONLINE WWW.SURREYBUSINESSAWARDS.COM ❛❛ It really is a testament to the fantastic team we DEADLINE FOR ENTRIES SEPTEMBER 1ST 2021 have and our wonderful customers, four legged and two who make it all
AWARD CEREMONY NOVEMBER 18TH 2021 possible…❜❜ Bruce’s Doggy Day Care, 2019
❛❛ To receive this external recognition is a great achievement and reward for our staff who put so much time and energy into making our business what it is… ❜❜ BDH Sterling, Professional Services Award 2019