What will 2021 bring to the world of data protection? One thing we can be sure of is lots of changes! Due to the changes it is imperative that you look at where all your data is located and is transferred to. The four areas that need to be addressed are as follows:-
- Schrems II
- Transfer Impact Assessments
- Standard Contractual Clauses
Firstly, a Brexit deal has been completed. However, nothing will change in Data Protection for the first 6 months of this year. This is due to the fact that the Treaty that was negotiated allows all personal data transfers to continue until the EU determines if the UK will get ‘adequacy’ status. If we do get this then data flows will be able to continue after the 6 month extension. If the UK does not get ‘adequacy’ status then all companies who have personal data being transferred to and from the EU will have to prepare their own governance to ensure that they meet the principles and lawfulness of processing of all personal data required by the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Secondly, due to what is called the Schrems II ruling by the CJEU (European Court of Justice) the method for transferring data to the US, Privacy Shield, has been deemed unusable. The Schrems II ruling is named after Max Schrems an Austrian privacy activist. Due to this method of data transfer being unavailable alternatives to this have to be found for personal data of UK and EU citizens going to the USA. Along with guidance from the EDPB (European Data Protection Board) this has meant that all transfers of data abroad (to all countries that are not deemed to have ‘adequacy’) are subject to the following requirements:-
- Know your transfers
- Verify you transfer tool
- Assess the data laws or practices in the 3rd country
- Adopt additional measures
- Implement additional measures
- Reassess measures as appropriate intervals
Thirdly, Transfer Impact Assessments! These will need to be used to meet the requirements of point 3 above – Assess the data laws or practices in the 3rd country. This involves looking at the data protection laws in the 3rd country and assessing whether data protection rights can be infringed by local government agencies. This is not easy but hopefully more advice will be available on this from the ICO as the year progresses.
Fourthly, the use of Standard Contractual Clauses should be considered for all personal data transfers abroad. The templates for these are available on the ICO website here:
Please contact us if you have any queries concerning the above as data transfers go through these changes.