The essential role of Data Protection in business and changes Post Brexit
Updated: Apr 30, 2021
This article highlights the importance of data protection. It will explore the data protection statutory changes and provide you with guidance to ensure that your business complies with the new changes to avoid data breaches.
Whilst information collected from your customers can help boost your business, leaking or losing this information could be very detrimental to the success of your business. This article will cover the importance of data protection and offer you some contractual considerations you should look into to ensure compliance especially post Brexit.
· Why is data protection important?
· Statutory changes
· Contractual considerations
1. Why is data protection important?
Data is instrumental to the growth and success of a business. Data collected can range from personal information about your customers to business information concerning operational costs and revenue. Collecting the right data about your customers can help you serve them better, know your target market, develop the right marketing tactics, and focus your resources on the right market and products. As a data collector, you need to ensure that you have the right cybersecurity software and tools to protect collected data. Lack of reliable data protection could lead to data loss or leakage risking a data breach.
A data breach could be damaging to your business’ reputation, potentially leading to loss of intellectual property and revenue. As a result of business interruption costs could be incurred for lawsuits, and payment for resources to boost your reputation or recover the leaked data.
In view of what is at risk in case of a data breach, you should consider upgrading your data protection systems and/or partnering with cybersecurity providers to get the right software for your business’ ultimate data protection and security.
2. Statutory Changes – the current situation with the EU
With effect from 1 January 2021, the UK is no longer part of the EU. The UK is now regarded as a third country under the EU GDPR, essentially this means that the UK is a country outside the EU without an ‘adequacy decision’. At present, a 6-month interim period (ending June 2021) has been agreed by the EU and UK to ensure the continued flow of data between the two without restriction until an adequate decision is made by the EU.
Under the European Withdrawal Agreement, Articles 70 – 73 state that the UK ‘shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.” Ensuring a level of data protection equivalent to the EU is the only way the UK can achieve the required level of adequacy to ensure unrestricted flow of data between the EU and UK after the interim period.
If an adequacy decision is not made by June 2021, the UK risks experiencing the practical effects of being identified as a ‘third country’ i.e. controllers and processors will have to provide safeguards and enforceable subject rights before transferring any personal data subject to Article 46 of the EU GDPR.
In anticipation of Brexit, the government published the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (DPPEC), which took effect on 31 January 2020. The DPPEC regulations contain the new UK GDPR and a revised copy of the Data Protection Act 2018.
Generally, the new UK GDPR is identical to the EU GPDR save for a few text changes. For example, the terms EU and Union have been replaced with the UK and domestic law respectively. The Data Protection Act 2018 covers a wider scope than the EU regulation to include other parts such as law enforcement processing and intelligence services processing.
3. Contractual Considerations
The UK is committed to maintaining the high standard of the EU GDPR hence its incorporation into domestic law as the UK GDPR. If an adequacy decision is reached by the end of the transition period, there will barely be any changes to the data protection laws.
In preparation for the eventuality, if an adequacy decision is not reached, the ICO (Information Commissioner’s Office) recommends that businesses that keep personal data from the European Economic Area (EU, Iceland, Norway, and Liechtenstein) should put in place alternative safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules before the end of April.
UK businesses and organisations with offices and branches in the EEA or with EEA customers will have to comply with both the EU and UK data protection regulations. You may also have to appoint a designated representative in the EEA especially if you process large amounts of data and/or special categories of data. The representative will be required to maintain records and work with the supervisory authorities in case any issues arise. Similarly, EU businesses without offices in the UK will be required to appoint a designated representative in the UK.
Businesses should identify the information acquired from overseas customers before the end of the transition period (legacy data). Assess the current information you have about your overseas customers to identify where they lived before 31 December 2020 (ie before the end of the transition period). All information collected from these customers will be subject to the EU GDPR as it stood on 31 December 2020 (frozen GDPR). Personal data collected and processed after 1 January 2021 in accordance with the Withdrawal Agreement is also subject to the frozen GDPR. For further guidance on legacy data, refer to the ICO End of Transition Interactive Tool.
On the contrary, if you do not have any customers from the EEA and already comply with the GDPR, you do not have to do anything more to comply with the data protection regulations.
Data is essential to the growth and success of a company. However, if this information is mishandled, it can cost your business its reputation and revenue in efforts to recover the lost or leaked data. As such, you should ensure that you comply with the data protection regulations and employ reliable cybersecurity software to avoid losing any data collected.
Following Brexit, there have been a few changes to the data protection regulations. For example, the UK no longer relies on the EU GDPR. Instead, the EU GDPR has been incorporated into domestic law and is to be followed in conjunction with the Data Protection Act 2018.
An interim period of 6 months has been agreed upon by the EU and UK to allow the continued free transfer of information between the two blocs. If the UK is still regarded as a country without an adequate decision after this period, it will be treated as a third country. As a third country, UK controllers and processors will have to provide safeguards and enforceable subject rights before transferring any personal data subject to Article 46 of the EU GDPR.
If the EU deems the UK to have adequacy after June 2021, there will be no major changes to the data protection laws and therefore there will be a continuous flow of data between the EU and UK without restrictions.
In preparation for the unfortunate eventuality that the UK is not regarded as a country with adequacy decision after June 2021, the ICO recommends that you put in place alternative safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules before the end of April. Employing these alternative safeguards can be complex, time-consuming, and costly.
Who is Serenity Law LLP?
Serenity Law LLP was founded by Avinder Laroya and Stanley Beckett, to provide agile legal services to business clients. When working with corporate clients on advisory services, the team at Serenity Law aims to provide practical legal advice and guidance.
Contact a member of our team today to book a complimentary 15-minute consultation by clicking here.