5 data protection changes to be aware of

02 Aug 2021

Many organisations haven’t taken steps to review their data protection compliance since the GDPR came into force in 2018, but there have been a number of significant changes to the regulatory landscape since then.
 
Data protection continues to be a major compliance issue, both in terms of risk (with potential fines of up to €20 million or 4% of global turnover) and of day to day practicalities.  And when it comes to corporate transactions, data protection compliance is often a key issue – and stumbling block.
 
Below is a brief summary of the some of the key developments to be aware of.
 
New rules on international data transfers
In July 2020 the Court of Justice for the European Union (CJEU) declared that the EU-US Privacy Shield was invalid (in the Schrems II decision), so organisations could no longer rely on the Privacy Shield to validate transfers of personal data from the EU to the US.  The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and supplementary measures to protect the rights of the data subjects concerned might be required.
 
In November 2020 the European Data Protection Board published draft recommendations on the measures that should be taken to ensure compliance with the EU level of protection of personal data, setting out a 6-step process to help identify whether the SCCs will be sufficient and what supplementary measures might be needed.
 
In practice this means that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer and whether any additional measures are necessary.
 
UK/EU adequacy decision
On 28 June 2021 the European Commission adopted an “adequacy decision” confirming that personal data can continue to flow freely between the UK and the EU after Brexit. This will be a great relief to companies whose operations span the UK and the EU, as the alternative would have required extensive changes to privacy documentation.
 
Requirement to appoint an EU representative
The GDPR has an “extra-territorial effect”, i.e. it applies to organisations outside the EU where they carry out business in the EU. With a few exceptions, the GDPR requires such businesses to appoint, in writing, a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
 
Following Brexit, UK businesses which carry on business in the EU have to appoint a representative in the EU, and EU businesses which carry on business in the UK have to appoint a representative in the UK for data protection purposes.
 
This may seem like an administrative nicety, but remember the potential costs of breaching the GDPR: for example, the Dutch Data Protection Authority fined a non-EU website provider €525,000 in June for failing to appoint an EU representative.
 
New EU Standard Contractual Clauses
Last month the European Commission published new standard contractual clauses (the New Clauses), revising and addressing many of the deficiencies of the old SCCs.
 
Businesses which operate in the EU and rely on the SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by 27 December 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from 27 September 2021.
 
Whilst the New Clauses are not currently valid under UK law and cannot be used by UK businesses to legitimatise the transfer of personal data out of the UK, UK businesses dealing with EU customers and suppliers are likely to be presented with the New Clauses by their counterparties and therefore need to be aware of the change.
 
The UK ICO is developing its own standard contractual clauses which it intends to circulate for comment this summer.
 
Read our blog New rules for international data transfers here for more information.
 
New EU processor clauses
The EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR; whilst not mandatory, you may find them useful.
 
 
If you need advice on any aspect of data protection including, for example, transitioning to the new SCCs, international data transfers, intra-group data sharing agreements or a full audit, please do get in touch.

Further reading

Sova Capital – a “special” Special Administration

Legal Updates, News & PR
24/05/2023
The case of Re Sova Capital Limited (in special administration) [2023] EWHC 452 (Ch) generated and continues to generate interest in insolvency circles
Read more Read

Fire and Rehire: the government’s draft statutory Code of Practice

Blog, Legal Updates
22/05/2023
In our recent Employment Law podcast, Adam Williams, Rebecca Thornley-Gibson and Simon Bellm discussed employers’ use of the “fire and rehire” tactic and the introduction of a new draft Code of Practice on Dismissal and Re-engagement following the P&O Ferries events of 2022.
Read more Read

New office in Horsham

Blog
02/05/2023
DMH Stallard's Horsham office will move to a new address in May 2023
Read more Read

DMH Stallard advises Makara Health on US acquisition

Blog
28/04/2023
Helen Mead leads the DMH Stallard team on latest Corporate deal
Read more Read
  • Brighton - Jubilee St

    1 Jubilee Street

    Brighton

    East Sussex

    BN1 1GE

  • Brighton - Old Steine

    47 Old Steine

    Brighton

    East Sussex

    BN1 1NW

  • Gatwick

    Griffin House

    135 High Street

    Crawley

    West Sussex

    RH10 1DQ

  • Guildford

    Wonersh House

    The Guildway

    Old Portsmouth Road

    Guildford

    Surrey

    GU3 1LR

  • Hassocks

    32 Keymer Road

    Hassocks

    West Sussex

    BN6 8AL

  • Horsham

    3rd Floor

    Afon Building

    Worthing Road

    Horsham

    West Sussex

    RH12 1TL

  • London

    6 New Street Square

    New Fetter Lane

    London

    EC4A 3BF

  • Make an enquiry

    Make an enquiry

    Message

    Or head to our Contact us page