World Data Protection Day: time for a compliance health check?

28th January is known globally as Data Protection Day. This date marks the anniversary of the Council of Europe’s adoption in 1981 of Convention 108 - the first legally binding international instrument on data protection.

The purpose of the day is to raise global awareness of data protection rights and obligations. Given the impact of Brexit and the dramatic changes to working practices as a result of the COVID-19 pandemic, it provides a useful opportunity for organisations to take step back and reflect upon their data protection compliance.

Almost four years on from its implementation, and in spite of Brexit, the General Data Protection Regulation (“GDPR”) remains as relevant as ever to UK based organisations. This is because the provisions of the EU GDPR have been incorporated directly into UK law as UK GDPR and, in practice, there has been little change to the core data protection principles, rights and obligations.

In light of recent trends, we have identified a number of key areas which may merit a data protection health check:

• Policies and Procedures

Are your existing policies fit for purpose? It is likely the type of personal data collected by your organisation has evolved since the introduction of GDPR in May 2018. Data Protection Policies and Privacy Notices should be reviewed regularly to take into account any changes to the personal data being processed. Data Protection Policies and Privacy Notices will also need to be updated to reflect the post-Brexit legal landscape and include appropriate legislative references to UK GDPR.

• Security and Integrity of Data

The past two years have witnessed the mass adoption of remote and hybrid working. Increased numbers of employees working from home carries with it a number of additional data protection and cyber security risks. Cyber security agencies have reported a significant growth in cyber-attacks since the beginning of the pandemic with phishing and ransomware attacks on the rise. Under UK GDPR your organisation must have appropriate technical and organisational measures in place to protect the security of data. You should therefore ensure that your remote working and information security policies are up to date and that your staff receive regular training on cyber security and data protection issues.

• International Transfers

If your organisation transfers personal data outside of the UK or receives personal data from outside the UK you should review your international data flows. Transfers from the UK to the European Economic Area (EEA) are permitted and transfers from the EEA to the UK have been allowed to continue on the basis of the adequacy decision issued by the European Commission in June 2021. However, if you are transferring data to a country outside of the UK and EEA you will need to ensure that the country is covered by UK adequacy regulations otherwise you will need to put in place an appropriate safeguard and carry out a risk assessment to determine whether that country provides a level of protection to the transferred data which is essentially equivalent to that under the UK data protection regime.

• Data Subject Rights Requests

Many organisations have reported an increase in Subject Access Requests (SARs) and Requests for Erasure over the last 12 months particularly in an employment context. These requests can often be complex and burdensome for organisations. It is therefore vital that your organisation has appropriate procedures in place to deal with such requests and that your staff receive comprehensive training on this area.

At Carson McDowell our specialist Data team can help you ensure that your data protection compliance is on the right track. We advise on all aspects of data protection law and can provide bespoke training solutions for your organisation. If you would like any further information or advice on these issues please contact Laura Cunningham.