Three years on from GDPR - Time to review your compliance?
The General Data Protection Regulation was first adopted by both the European Parliament and European Council in April 2016 and came into force two years later on 25th May 2018.
The intervening years have witnessed rapid technological advancements, a shifting legal landscape and seismic changes to working practices as a result of COVID-19.
The third anniversary of its implementation provides an opportune moment for organisations to review their GDPR compliance.
In particular, we recommend that organisations review the following areas:
1. Data Protection Policies and Privacy Notices
It is likely the type of personal data collected by your organisation has evolved since the introduction of GDPR. Data Protection Policies and Privacy Notices should be reviewed to take into account any changes to the personal data being processed e.g. health data for the purposes of workplace testing. Data Protection Policies and Privacy Notices will also need to be updated to reflect the post Brexit legal landscape and include appropriate legislative references to UK GDPR.
2. Remote Working Policy
COVID-19 led to the adoption of mass remote working. Increased numbers of employees working from home carries with it a number of data protection and cybersecurity risks. Cyber security agencies have reported a significant growth in cyber-attacks since the beginning of the pandemic with phishing and ransomware attacks on the rise. Your employees are your first line of defence in preventing cyber-attacks and you should ensure that your remote working and information security policies are up to date and that your staff receive regular training on cybersecurity and data protection issues.
3. International Transfers
If your organisation transfers personal data outside of the UK or receives personal data from outside the UK you should review your international data flows following the end of the Brexit transition period. Transfers from the UK to the EEA are permitted and transfers from the EEA to the UK have been allowed to continue in the short term under the transitional arrangements agreed as part of the EU-UK Trade and Co-operation Agreement. A formal adequacy decision allowing data to flow from the EEA and UK on a more permanent basis is expected to be issued by the European Commission in the coming days. However, if you are transferring data to a country outside the EEA you will need to ensure that the country is covered by UK adequacy regulations otherwise you will need to put in place an appropriate safeguard and carry out a risk assessment to determine whether that country provides a level of protection to the transferred data which is essentially equivalent to that under the UK data protection regime.
4. Subject Access Requests (SARS)
Many organisations have reported an increase in SARs since the beginning of the pandemic (perhaps due to challenges in the labour market). It is therefore important that your organisation is aware of the most up-to-date guidance issued by the ICO in October 2020 which includes greater clarity on stopping the clock for clarification, what constitutes a manifestly unfounded request and what can be included when charging a fee for excessive, unfounded or repeat requests.
If you would like any further information or advice on these issues please contact Laura Cunningham from the Commercial team.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.