5 data protection changes to be aware of

02 Aug 2021

Many organisations haven’t taken steps to review their data protection compliance since the GDPR came into force in 2018, but there have been a number of significant changes to the regulatory landscape since then.
 
Data protection continues to be a major compliance issue, both in terms of risk (with potential fines of up to €20 million or 4% of global turnover) and of day to day practicalities.  And when it comes to corporate transactions, data protection compliance is often a key issue – and stumbling block.
 
Below is a brief summary of the some of the key developments to be aware of.
 
New rules on international data transfers
In July 2020 the Court of Justice for the European Union (CJEU) declared that the EU-US Privacy Shield was invalid (in the Schrems II decision), so organisations could no longer rely on the Privacy Shield to validate transfers of personal data from the EU to the US.  The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and supplementary measures to protect the rights of the data subjects concerned might be required.
 
In November 2020 the European Data Protection Board published draft recommendations on the measures that should be taken to ensure compliance with the EU level of protection of personal data, setting out a 6-step process to help identify whether the SCCs will be sufficient and what supplementary measures might be needed.
 
In practice this means that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer and whether any additional measures are necessary.
 
UK/EU adequacy decision
On 28 June 2021 the European Commission adopted an “adequacy decision” confirming that personal data can continue to flow freely between the UK and the EU after Brexit. This will be a great relief to companies whose operations span the UK and the EU, as the alternative would have required extensive changes to privacy documentation.
 
Requirement to appoint an EU representative
The GDPR has an “extra-territorial effect”, i.e. it applies to organisations outside the EU where they carry out business in the EU. With a few exceptions, the GDPR requires such businesses to appoint, in writing, a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
 
Following Brexit, UK businesses which carry on business in the EU have to appoint a representative in the EU, and EU businesses which carry on business in the UK have to appoint a representative in the UK for data protection purposes.
 
This may seem like an administrative nicety, but remember the potential costs of breaching the GDPR: for example, the Dutch Data Protection Authority fined a non-EU website provider €525,000 in June for failing to appoint an EU representative.
 
New EU Standard Contractual Clauses
Last month the European Commission published new standard contractual clauses (the New Clauses), revising and addressing many of the deficiencies of the old SCCs.
 
Businesses which operate in the EU and rely on the SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by 27 December 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from 27 September 2021.
 
Whilst the New Clauses are not currently valid under UK law and cannot be used by UK businesses to legitimatise the transfer of personal data out of the UK, UK businesses dealing with EU customers and suppliers are likely to be presented with the New Clauses by their counterparties and therefore need to be aware of the change.
 
The UK ICO is developing its own standard contractual clauses which it intends to circulate for comment this summer.
 
Read our blog New rules for international data transfers here for more information.
 
New EU processor clauses
The EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR; whilst not mandatory, you may find them useful.
 
 
If you need advice on any aspect of data protection including, for example, transitioning to the new SCCs, international data transfers, intra-group data sharing agreements or a full audit, please do get in touch.

Further reading

DMH Stallard LLP acts for Chill Brands Group plc in its £3.5 million fundraising

Blog
16/05/2022
DMH Stallard has acted for Chill Brands Group plc in a £3.5 million fundraising which was completed on 13 May 2022
Read more Read

No fault divorce: a cautionary tale

Blog
13/05/2022
There’s a lot of optimism surrounding the introduction of the no fault divorce, and rightly so. However, as with any new law, there may be some initial teething problems. Nigel Winter gives his balanced overview
Read more Read

Directors’ duties and practical matters to consider in a potential insolvency

Blog
12/05/2022
Matthew Akers and Alex Dawson provide a refresher of directors’ duties and the practical steps that can be taken to mitigate the risk of personal liability.
Read more Read

Planning reform reveals proposals for "street votes" in the Queen's Speech

Blog
11/05/2022
Jack Boyle takes a look at how the new "street votes" scheme might affect planning applications
Read more Read
  • Brighton - Jubilee St

    1 Jubilee Street

    Brighton

    East Sussex

    BN1 1GE

  • Brighton - Old Steine

    47 Old Steine

    Brighton

    East Sussex

    BN1 1NW

  • Gatwick

    Griffin House

    135 High Street

    Crawley

    West Sussex

    RH10 1DQ

  • Guildford

    Wonersh House

    The Guildway

    Old Portsmouth Road

    Guildford

    Surrey

    GU3 1LR

  • Hassocks

    32 Keymer Road

    Hassocks

    West Sussex

    BN6 8AL

  • Horsham

    Ridgeland House

    15 Carfax

    Horsham

    West Sussex

    RH12 1DY

  • London

    6 New Street Square

    New Fetter Lane

    London

    EC4A 3BF

  • Make an enquiry

    Make an enquiry

    Message

    Or head to our Contact us page