Data protection activity for a Happy New Year!

Hopefully we can put 2020 far behind us, with its Brexit and Covid challenges which resulted in lots of messy, last minute activity.

So a spring clean is now called for.

At Data Protection Consulting we shall be focused on checking that clients have made changes to documentation to reflect the new situation of the UK outside of the EU. Some of these changes are very public, the website privacy notice should now reflect data transfers to EU Member States as restricted transfers and outline the applicable mechanism to support the transfer. Where appropriate there should also be new contact details for Appointed Representatives or Establishments in the EU. (For help deciding what representation your organisation needs in the EU, check the EDPB guidance here.)

The fallout of the Schrems decision in July 2020 continues to impact on data processor relationships with the added twist for EU based processors caused by Brexit. Additional complications arise from there now being draft, unapproved Standard Contractual Clauses under GDPR which will shortly be approved and replace the existing SCCs made under the 1995 Directive. In the UK it is likely that a similar set of SCCs will be adopted but, of course, there will be changes to defined terms consequent upon Brexit. So it is likely that all existing SCCs in contracts with processors will need to be updated within the next twelve months. Again the emphasis is on knowing who your data processors are and where they are located, who their subcontractors are and where they are located and so on.

Another vital check is for website mandatory content. It is surprising how many organisations have yet to resolve their Cookie consent clauses and meet disclosure requirements. It is a common theme, that updating websites during the year can lead to links that no longer work and mandatory content that is simply missing. Reviewing a website can also highlight changes in activities that have possibly not been communicated. This provides material to follow up and feed into the organisation’s Article 30 records of processing.

So, in conclusion a busy first quarter of 2021. Happy New Year! If there is too much work to do around data protection compliance why not give us a call, we would be happy to help.

Mandy P Webster, Data Protection Consulting

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

One Comment

Joy Higham January 4, 2021 at 8:49 am - Reply

This is a very useful overview of what organisations should be looking out for as we start off the New Year outside the EU.

Data protection activity for a Happy New Year!

HIV Charity fined for bulk email errors

Top tips for evidencing compliance

How to be a Compliance Auditor

Top Data Protection Compliance Tips

Article 30 records and Privacy Notices

Data protection activity for a Happy New Year!