5 data protection changes to be aware of

02 Aug 2021

Many organisations haven’t taken steps to review their data protection compliance since the GDPR came into force in 2018, but there have been a number of significant changes to the regulatory landscape since then.
Data protection continues to be a major compliance issue, both in terms of risk (with potential fines of up to €20 million or 4% of global turnover) and of day to day practicalities.  And when it comes to corporate transactions, data protection compliance is often a key issue – and stumbling block.
Below is a brief summary of the some of the key developments to be aware of.
New rules on international data transfers
In July 2020 the Court of Justice for the European Union (CJEU) declared that the EU-US Privacy Shield was invalid (in the Schrems II decision), so organisations could no longer rely on the Privacy Shield to validate transfers of personal data from the EU to the US.  The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and supplementary measures to protect the rights of the data subjects concerned might be required.
In November 2020 the European Data Protection Board published draft recommendations on the measures that should be taken to ensure compliance with the EU level of protection of personal data, setting out a 6-step process to help identify whether the SCCs will be sufficient and what supplementary measures might be needed.
In practice this means that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer and whether any additional measures are necessary.
UK/EU adequacy decision
On 28 June 2021 the European Commission adopted an “adequacy decision” confirming that personal data can continue to flow freely between the UK and the EU after Brexit. This will be a great relief to companies whose operations span the UK and the EU, as the alternative would have required extensive changes to privacy documentation.
Requirement to appoint an EU representative
The GDPR has an “extra-territorial effect”, i.e. it applies to organisations outside the EU where they carry out business in the EU. With a few exceptions, the GDPR requires such businesses to appoint, in writing, a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
Following Brexit, UK businesses which carry on business in the EU have to appoint a representative in the EU, and EU businesses which carry on business in the UK have to appoint a representative in the UK for data protection purposes.
This may seem like an administrative nicety, but remember the potential costs of breaching the GDPR: for example, the Dutch Data Protection Authority fined a non-EU website provider €525,000 in June for failing to appoint an EU representative.
New EU Standard Contractual Clauses
Last month the European Commission published new standard contractual clauses (the New Clauses), revising and addressing many of the deficiencies of the old SCCs.
Businesses which operate in the EU and rely on the SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by 27 December 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from 27 September 2021.
Whilst the New Clauses are not currently valid under UK law and cannot be used by UK businesses to legitimatise the transfer of personal data out of the UK, UK businesses dealing with EU customers and suppliers are likely to be presented with the New Clauses by their counterparties and therefore need to be aware of the change.
The UK ICO is developing its own standard contractual clauses which it intends to circulate for comment this summer.
Read our blog New rules for international data transfers here for more information.
New EU processor clauses
The EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR; whilst not mandatory, you may find them useful.
If you need advice on any aspect of data protection including, for example, transitioning to the new SCCs, international data transfers, intra-group data sharing agreements or a full audit, please do get in touch.

Further reading

DMH Stallard LLP acts for Chill Brands Group plc in completing its fundraisings

DMH Stallard was legal adviser to Chill Brands Group plc on the fundraisings and publication of the prospectus and liaised with the Financial Conduct Authority. The DMH Stallard team was led by Nick Williams and included Georgina Thomas, Amber Monaghan and Claire Baker.
Read more Read

Corporate Awards are ‘gr-eight’ for DMH Stallard

Blog, News & PR
The Corporate department at DMH Stallard has been shortlisted for an incredible eight different awards at the 2024 South East Dealmakers Awards
Read more Read

What does fair redundancy consultation mean?

Blog, Legal Updates
All employers will be familiar with the need to follow a fair process of consultation in relation to any redundancy dismissals. But what does that mean? A recent Employment Appeal Tribunal decision underlined the importance of one aspect of the process
Read more Read

Major Reforms to Companies House

Blog, Legal Updates
The Economic Crime and Corporate Transparency Act 2023 (the “Act”) has now received Royal Assent and become law. Its objective is to deliver a range of reforms to tackle economic crime and improve transparency over corporate entities.
Read more Read
  • Brighton - Jubilee St

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Brighton - Old Steine

    47 Old Steine


    East Sussex

    BN1 1NW

  • Gatwick

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Hassocks

    32 Keymer Road


    West Sussex

    BN6 8AL

  • Horsham

    3rd Floor

    Afon Building

    Worthing Road


    West Sussex

    RH12 1TL

  • London

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Make an enquiry

    Make an enquiry


    Or head to our Contact us page