A changing legal landscape was presented by Brexit, and data protection laws is one of the areas that has
required businesses to check their compliance procedures and processes to make sure they are up to date.
By Debbie Venn, Partner, DMH Stallard LLP
Impact of Brexit
Brexit impacted many areas of legal compliance and business operations, including the transfer of personal data between the UK and EU. The UK retained a plethora of EU laws (as retained EU law), including the General Data Protection Regulations 2016, which sits alongside the UK Data Protection Act 2018, and has led to the creation of the UK GDPRs. If your business purely operates using personal data within the UK, then not much has changed, but if your business transfers personal data outside of the UK or EU, then there are updates to be aware of to comply with applicable laws.
Transferring data internationally – what needs to be done?
If there is personal data about EU citizens coming into the UK, then the personal data transfer can take place without much change, as the EU has issued a decision stating that the UK’s data protection laws provide an ‘adequate’ level of protection of personal data. However, where data subjects in the UK / EU have their personal data transferred outside of the UK or EU, additional measures are required to be taken to keep that personal data secure, depending on where the personal data is being transferred to.
For example, if personal data about an individual is being transferred to the USA because a UK company has its IT systems hosted in the USA, then this would be classified as an international transfer of personal data. This would require certain measures to be put in place with the hosting provider to keep that personal data secure. Previously, the Privacy Shield had been used by US businesses (through a certification process) to show that they had sufficient security measures in place to allow a personal data transfer to be made to them without any problem.
However, a court case known as ‘Schrems II’ has meant that the Privacy Shield is no longer valid and therefore businesses need to take further measures to make sure that personal data is kept secure on transfers to countries outside the UK/EU. Businesses therefore need to review any measures they already had in place with suppliers and update these where necessary.
If a business is transferring personal data to other countries outside the UK / EU, then it needs to check whether there is an ‘adequacy decision’ for that country. If there is none in place, they need to make sure that additional measures are in place to keep personal data secure, eg, using the UK International Data Transfer Agreement or EU Standard Contractual Clauses, as applicable.
Other technical considerations
When websites or applications use cookies or other tracking devices to analyse and track how someone uses their website/application, this collects information about that user to report back to the entity placing that cookie on the user’s device. Cookies are regulated by the Privacy Electronic Communications Regulations (currently under review), which applies whether the data collected from the use of the cookie are personal data or not. If personal data is collected through the cookie, then UK GDPRs will also need to be complied with in relation to the collection and use of any personal data collected from that cookie.
If you are using cookies, the Information Commissioner’s Office recommends having a separate cookies policy on your website, for transparency with users, explaining what cookies are used and how these can be turned off or otherwise disabled. The policy should also include details of any third-party cookies that may be relevant, depending on how your website/application is structured. Third party cookie providers (such as Google) are reviewing businesses cookies policies who use their cookies at the moment, and are sending notifications to those businesses where they do not think their cookies policies are clear enough about how they are used. Therefore it is a good time to review your use of cookies and your policies, to make sure these are up to date.
What should you be doing now?
• Review your current policies and procedures, including your external Privacy Policy and Cookies Policy, to make sure they are up to date following Brexit, and that they reflect your up-to-date data flows and tracking devices used.
• Check with your web developers / IT team on the use of cookies and update your policies, particularly if using Google Analytics or other third party cookies, to make sure all references are up-to-date.
• Update data flow maps (or create a new one).
• Make sure that you have suitable measures in place to deal with any international data transfers, including any required international data transfer agreements.
Debbie Venn, Partner,
DMH Stallard LLP