The start of 2021 brought the long-awaited end of the UK’s transition period for leaving the EU, but the temporary agreements around data flows with EU will come up for review again during springtime, so it’s not over yet!
In the meantime, regulators are being active in pursuing complaints from data subjects. So where coronavirus events interrupted your ongoing focus on GDPR matters, now could be a good time to tackle any compliance concerns you have. Especially if there have been changes to some of your business activities or to personnel overseeing compliance within your business.
In this edition of our newsletter, topics we explore include:
- Post-Brexit matters
- Common website cookies rules breaches
- Updated Standard Contractual Clauses for UK GDPR
- New data sharing code of practice
- Care around legitimate interests
- Latest enforcement action and regulator focus areas for 2021
If you want to brush-up your GDPR knowledge and the latest changes, join our Refresher Workshop for GDPR Leaders sessions on 12th & 13th May. It’s our new condensed online version – contact us for details or to book your place.
If you have any queries or feedback, we’d love to hear from you!
Stay safe and well,
Anna and the team at ComplyGDPR
The ICO (Information Commissioner’s Office) has published its updated Data Sharing Code of Practice.
It contains detailed guidance on GDPR considerations when sharing or disclosing personal data, either on a routine or one-off basis. And includes checklists to help organisations make decisions about whether or how to share data.
The new code of practice highlights the importance of:
Being able to demonstrate that you have assessed the risks for your proposed data sharing.
Consistently taking a fair and transparent approach to sharing personal data.
Taking care where sharing personal data in relation to a company merger or acquisition.
Providing relevant training to everyone in your business in order to comply with GDPR.
In tandem, the ICO has also launched a new data sharing information hub, to provide additional support to organisations and help them comply with data sharing best practice.
“This code, and the products and toolkits published alongside it, provides a gateway to good data sharing practice and the benefits we can expect from the results.” Says the Information Commissioner, Elizabeth Denham.
Reed Smith’s article describes what the new data sharing code covers and also highlights that is for controller-to-controller data sharing, not data sharing with a processor.
Take stock of situations where you share personal data with other controllers, such as your clients. Do you have up-to-date records of your purposes, risk evaluations etc?
Consider each type of data you share. Pay extra attention to any special category data, such as candidate vetting or employee HR records.
If your candidate database or internal employee personal data is shared with other group companies, be thorough in identifying the scope of data that is shared or accessible.
For helpline subscribers, a cribsheet on third party data sharing to help you identify which types of agreements to use is on our client portal.
Contact our helpline for further help on your particular data sharing activities.
Website cookies rules continue to catch out many organisations, so we feel compelled to flag this again.
The French regulator issued eyewatering fines of 135 million euros against Google and Amazon and is clamping down on websites that do not comply. Regulators in Belgium, Germany and Italy are also showing a proactive approach to website cookies compliance.
The ICO has thorough guidance on cookies that helps spell out how to comply with cookie rules. Not only for your own website, but also your responsibilities in relation to other sites or platforms you site links to, such as social media or video platforms.
Tips: Website cookies compliance
Check that your website cookie banner is compliant, e.g. Does it give equal emphasis for users to Accept or Reject cookies? Is your cookies management tool configured to stop cookies being set before valid consent is obtained?
Ask about our website cookies mini service package, for guidance on the rules, policy templates and info to share with your web developer to help you become compliant.
Contact our helpline for help tackling website cookies.
Adequacy decision for EU-UK data transfers is yet to be confirmed.
It was welcome news when the EU and UK agreed to temporarily allow personal data to continue to flow from the EU to UK for the first few months of 2021, while the EU considers its UK adequacy decision.
Since then, the EU has put forward a draft adequacy decision, which the ICO notes is an “important milestone” in the process. So now we must await outcome of the EDPB’s and EU member states’ deliberations – we hope for a favourable and swift decision!
In the meantime, the ICO continues to advise organisations to be prepared in case the UK adequacy decision is not approved by the EU. In that scenario, UK organisations may need to have additional safeguards in place, such as Standard Contractual Clauses (SCC), to continue to receive personal data from organisations based in the EU.
Meeting new requirements for EU and UK Representatives
If your business does not have an office in the EU and you regularly process personal data of EU candidates, a reminder that GDPR may require you to have an EU Representative.
Your Representative would have various responsibilities, such as: overseeing rights requests from EU data subjects; communicating with EU regulators on behalf of your organisation if a complaint was raised in the EU; and holding a copy of your Record of Processing for EU inspection. With an EU Representative, you benefit from the EU GDPR’s One-Stop-Shop (which the ICO is no longer part of). This means, for example, if you experience a security breach you avoid the risk of potentially being fined by every individual EU state in which individuals have been affected.
For overseas business that do not have an office in the UK, if you regularly process personal data of UK individuals you may also need a UK representative.
Special versions of the EU and UK Representative services provided by Reed Smith’s datarologie team have been tailored for ComplyGDPR clients. With competitive options for our micro and small business clients.
What data protection regulations apply now the Brexit transition period has ended?
The UK GDPR took effect from 1st January 2021. (At this stage, it is fundamentally a carbon copy of the EU GDPR at 31st December 2021, but it may diverge over time.)
The Data Protection Act (DPA) 2018 still applies. This regulation sits alongside the UK GDPR and also contains special conditions for certain aspects of the UK’s version of GDPR.
Privacy and Electronic Communications Regulations (PECR) still applies. This is pertinent for electronic marketing activities (email /phone/text) and website cookies rules.
Reminder: for UK based organisations, the UK GDPR applies to ALL personal data you process. That means you should extend the protection and individual rights provided by UK GDPR to all your data subjects, regardless of where they are located.
Get straight with the new rules if your organisation has cross-border activities between the UK and EU or between multiple countries within the EEA.
Assess whether you may need to appoint an EU representative or a UK representative. If so, publish their details on your website privacy notice.
How can we help?
How can we help?
If you are unsure whether you need an EU or UK Representative, ask for our joint ComplyGDPR/datarologies/ReedSmith brochure, which includes a flow chart to help.
For a copy of our latest post-Brexit checklist, contact our helpline.
Your business is probably processing many types of candidate, client or employee data on the basis of legitimate interests. Remember, this is lawful only if you can demonstrate your fair justification for relying on legitimate interest – have you documented how you evaluated this objectively?
The ICO describes “legitimate interests is the most flexible lawful basis for processing”, however, they are clear that companies must have robust tests to demonstrate that the balance of any risks to the individuals do not outweigh those interests.
Check your GDPR records include a valid legitimate interest assessment (LIA) for each type of data you process on the basis of legitimate interest.
If you start to process any new types of data, make sure you identify and document your lawful basis first. E.g. where gathering new types of candidate data or starting to use data for a different purpose.
Helpline subscribers can find a Legitimate interest assessment (LIA) template and a completed example on our client portal.
Contact our helpline for help considering your lawful basis options for handling personal data for particular purposes.
For the time being, the ICO confirms it is still OK to use the EU Standard Contractual Clauses (SCCs) for existing or new international data transfers from the UK.
However, they add guidance that certain tweaks are allowed to tailor them specifically for UK GDPR (which has been in force in the UK since 31st December 2020). Other changes to the SCCs are not allowed and may make them invalid.
Accordingly, new versions that include suggested UK changes with guidance have been published by the ICO – one for controller to processor and one for controller to controller. UK companies could consider adopting these to safeguard transfers of personal data outside the UK and EEA. However, the ICO also says it is working towards publishing new updated sets of UK SCCs sometime during 2021. (The EU is also getting close to adopting its own new EU SCCs.)
For helpline subscribers, a ready-to-use format of the ICO’s UK GDPR SCCs is available on our client portal.
Ask us for further help understanding when and how to use SCCs when you share personal data with clients, suppliers or your group companies.
With at least 100 GDPR enforcement actions reported this past quarter, having penalties ranging from 1000 euros to 8,000,000 euros, it is clear that EU and UK regulators take GDPR compliance seriously.
Here are just a few examples of recent activities that have led to regulator action and fines.
In the UK, carrying out direct marketing activities without consent has been behind most fines and notices issued by the ICO this quarter. Small and large organisations alike have been penalised. In all cases the volumes of email/SMS/telephone marketing activities have been high, but a tiny portion of complaints (much less than 1%) has been enough to trigger enforcement.
Failing to meet 72hr deadline for reporting a data breach resulted in a 475,000 euro fine for Booking.com from the Dutch regulator. A reminder that it is critical to have an effective process in place to respond to any data breach and training staff to recognise and report any suspected breach immediately.
A mistake of emailing documents containing personal data to the wrong client led to a 3,000 euro fine being issued to a financial consulting firm. The Spanish regulator’s concerns included not having adequate security measures in place to protect personal data – for example, measures such as pseudonymisation or encryption to help protect confidentiality.
Ensure your marketing team are well versed on obligations under both GDPR and PECR (e.g. for email marketing).
Assess the measures you have in place to prevent sending confidential candidate data to the wrong recipient, e.g. using encryptions, pseudonymisation or related staff training?
Carry out refresher training for all your staff on how to avoid data breaches, to help reduce the risk of fines or reputational damage for your business.
Check all staff are well trained in identifying, escalating and responding to data breaches quickly, so you meet the GDPR’s 72hr deadline.
Data breach is one of the key aspects of GDPR included in our employee online GDPR training.
Our short cyber security awareness online training helps employees reduce risks of cyber attacks from hackers, online criminals or other malicious attacks. Including the higher risk areas where working from home.
Register your interest in our GDPR for marketing refresher to help your marketing activities comply with GDPR and PECR .
The UK Information Commissioner set out the ICO’s plans for 2021. Some may not directly impact the recruitment sector, but it can be useful to be aware of the wider data protection landscape.
Plans they describe include:
Continuing to support organisations in COVID-19 related data protection matters. The ICO continues to update its data Protection and coronavirus advice on matters such as testing, data collection and contact tracing.
Innovation and improvements in data sharing between organisations, including adopting the guidance set out in its updated Data Sharing Code of Practice. As part of this, the ICO has also announced plans to update its guidance on anonymisation and pseudonymisation practices for personal data.
Supporting adoption of the recently introduced Age Appropriate Design Code, which sets statutory data privacy standards for online services likely to be accessed by children under aged under 18.
Continuing proactive investigations and audits, in particular in the areas of adtech and direct marketing data broking activities; and enforcements for non-compliant handling of direct marketing data.
The ICO’s focus may evolve in other areas as the year progresses. In the meantime, we see spot-check audits and some enforcement activities that the regulator temporarily paused or relaxed during COVID, starting to be resumed.
Global regulator focus
For a global round-up of regulator focus and developments globally, see this helpful blog summarising selected countries in Europe, Asia and South America. Themes include:
continuing proactive enforcement action;
security of special category and heath data;
data breach notification;
international data transfer; and
website cookie rules compliance.
Review your GDPR compliance in the areas being highlighted by regulators. Particularly where there may have been changes to the scope of scope your services, marketing activities, or geographies where you operate.
Contact our helpline for further information or guidance about any of these areas of data protection.