5 data protection changes to be aware of

02 Aug 2021

Many organisations haven’t taken steps to review their data protection compliance since the GDPR came into force in 2018, but there have been a number of significant changes to the regulatory landscape since then.
Data protection continues to be a major compliance issue, both in terms of risk (with potential fines of up to €20 million or 4% of global turnover) and of day to day practicalities.  And when it comes to corporate transactions, data protection compliance is often a key issue – and stumbling block.
Below is a brief summary of the some of the key developments to be aware of.
New rules on international data transfers
In July 2020 the Court of Justice for the European Union (CJEU) declared that the EU-US Privacy Shield was invalid (in the Schrems II decision), so organisations could no longer rely on the Privacy Shield to validate transfers of personal data from the EU to the US.  The CJEU also ruled that the EU’s standard contractual clauses (SCCs) would not always be sufficient to lawfully transfer personal data from the EU to other countries and supplementary measures to protect the rights of the data subjects concerned might be required.
In November 2020 the European Data Protection Board published draft recommendations on the measures that should be taken to ensure compliance with the EU level of protection of personal data, setting out a 6-step process to help identify whether the SCCs will be sufficient and what supplementary measures might be needed.
In practice this means that organisations which transfer personal data out of the UK or the EU to a country not covered by an adequacy decision must carry out a transfer impact assessment to assess the circumstances of the transfer and whether any additional measures are necessary.
UK/EU adequacy decision
On 28 June 2021 the European Commission adopted an “adequacy decision” confirming that personal data can continue to flow freely between the UK and the EU after Brexit. This will be a great relief to companies whose operations span the UK and the EU, as the alternative would have required extensive changes to privacy documentation.
Requirement to appoint an EU representative
The GDPR has an “extra-territorial effect”, i.e. it applies to organisations outside the EU where they carry out business in the EU. With a few exceptions, the GDPR requires such businesses to appoint, in writing, a representative in one of the EU member states to act as a point of contact for European supervisory authorities and data subjects.
Following Brexit, UK businesses which carry on business in the EU have to appoint a representative in the EU, and EU businesses which carry on business in the UK have to appoint a representative in the UK for data protection purposes.
This may seem like an administrative nicety, but remember the potential costs of breaching the GDPR: for example, the Dutch Data Protection Authority fined a non-EU website provider €525,000 in June for failing to appoint an EU representative.
New EU Standard Contractual Clauses
Last month the European Commission published new standard contractual clauses (the New Clauses), revising and addressing many of the deficiencies of the old SCCs.
Businesses which operate in the EU and rely on the SCCs to transfer personal data out of the EU will need to update their data transfer agreements to include the New Clauses by 27 December 2022. The old SCCs will cease to be valid for new transfers of personal data under the EU GDPR from 27 September 2021.
Whilst the New Clauses are not currently valid under UK law and cannot be used by UK businesses to legitimatise the transfer of personal data out of the UK, UK businesses dealing with EU customers and suppliers are likely to be presented with the New Clauses by their counterparties and therefore need to be aware of the change.
The UK ICO is developing its own standard contractual clauses which it intends to circulate for comment this summer.
Read our blog New rules for international data transfers here for more information.
New EU processor clauses
The EU Commission has published a new set of processor clauses for use when engaging a data processor under Article 28 of the GDPR; whilst not mandatory, you may find them useful.
If you need advice on any aspect of data protection including, for example, transitioning to the new SCCs, international data transfers, intra-group data sharing agreements or a full audit, please do get in touch.

Further reading

Ganz v Petronz FZE & Goren – key decisions of the arbitration claim

Blog, Legal Updates
The recent Judgment in the arbitration claim Mordchai Ganz v (1) Petronz FZE (2) Abraham Goren [2024] EWHC 635 has already received attention from legal pundits.  The DMH Stallard’s legal team (Tim Ashdown, Beatrice Bass and Patrick Murray) acted for the Claimant. DMH Stallard was supported by the legal team of Altshuler Law in Israel which is a collaboration enabled through their membership of LEInternational.
Read more Read

Reversal of changes to High Net Worth Individual and Self-certified Sophisticated Investor criteria implemented

Blog, Legal Updates
As discussed in our recent update, the government announced in the Budget that the eligibility criteria for the exemptions, which allow shares and other financial instruments to be marketed to High Net Worth Individuals and Self-certified Sophisticated Investors without the regulatory protections
Read more Read

FCA to investigate personal guarantees in small business lending following a super complaint

The FSB has raised concerns that the demand for personal guarantees by lenders has a detrimental impact on small businesses accessing borrowing to grow
Read more Read

ECCTA: Fundamental changes for companies and considerations for lenders: Practical points to note

Tyne Harman outlines some of the key considerations for lenders and borrowers alike to be aware of.
Read more Read
  • Brighton - Jubilee St

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Brighton - Old Steine

    47 Old Steine


    East Sussex

    BN1 1NW

  • Gatwick

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Hassocks

    32 Keymer Road


    West Sussex

    BN6 8AL

  • Horsham

    3rd Floor

    Afon Building

    Worthing Road


    West Sussex

    RH12 1TL

  • London

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Make an enquiry

    Make an enquiry


    Or head to our Contact us page