Hopefully we can put 2020 far behind us, with its Brexit and Covid challenges which resulted in lots of messy, last minute activity.
So a spring clean is now called for.
At Data Protection Consulting we shall be focused on checking that clients have made changes to documentation to reflect the new situation of the UK outside of the EU. Some of these changes are very public, the website privacy notice should now reflect data transfers to EU Member States as restricted transfers and outline the applicable mechanism to support the transfer. Where appropriate there should also be new contact details for Appointed Representatives or Establishments in the EU. (For help deciding what representation your organisation needs in the EU, check the EDPB guidance here.)
The fallout of the Schrems decision in July 2020 continues to impact on data processor relationships with the added twist for EU based processors caused by Brexit. Additional complications arise from there now being draft, unapproved Standard Contractual Clauses under GDPR which will shortly be approved and replace the existing SCCs made under the 1995 Directive. In the UK it is likely that a similar set of SCCs will be adopted but, of course, there will be changes to defined terms consequent upon Brexit. So it is likely that all existing SCCs in contracts with processors will need to be updated within the next twelve months. Again the emphasis is on knowing who your data processors are and where they are located, who their subcontractors are and where they are located and so on.
Another vital check is for website mandatory content. It is surprising how many organisations have yet to resolve their Cookie consent clauses and meet disclosure requirements. It is a common theme, that updating websites during the year can lead to links that no longer work and mandatory content that is simply missing. Reviewing a website can also highlight changes in activities that have possibly not been communicated. This provides material to follow up and feed into the organisation’s Article 30 records of processing.
So, in conclusion a busy first quarter of 2021. Happy New Year! If there is too much work to do around data protection compliance why not give us a call, we would be happy to help.
Mandy P Webster, Data Protection Consulting