
27 Jan Data Privacy Day – a checklist to help businesses
Today marks the 16th Data Privacy Day (also known as ‘Data Protection Day’) which annual international event highlights the importance of data privacy and its impact on our daily lives.
2021 was a busy year for the privacy sector. The Brexit transition period expired, the ECJ declared the Privacy Shield invalid, the UK has been granted an adequacy decision by the EU, and the list goes on.
To celebrate Data Privacy Day we have created a Data Privacy Checklist to help you keep on track and start 2022 fully compliant.
- Refresh your privacy policies
As of 1 January 2021, the retained EU law version of GDPR (‘UK GDPR’) applies in the UK together with the Data Protection Act 2018 (DPA 2018). Whether your organisation processes data relating to EU individuals or not, your privacy policy and potentially other documents (such as privacy notices) will need an update. For now, the changes will be mainly to legislative references and terminology rather than substantive ones. But it is vital to keep your key documentation up-to-date to comply with strict data privacy laws and avoid any sanctions by the supervisory authorities such as the UK’s Information Commissioner’s Office (‘ICO’).
Your review should begin with searching for, and highlighting, all references to the GDPR. Search for terms like ‘EU or member state law’, ‘Union law’ or even ‘EDPB’. Then you should check each of the highlighted terms for required changes. Some of the definitions are now different under UK GDPR. Be sure you check relevant legislation and think about the context in which the term is used
- Appoint us as your EU Representative
Following the end of the Brexit transition period, the UK is now considered a ‘third country’ by the EU GDPR. If your organisation does not have establishment in the European Economic Area (EEA) and you are offering goods or services to individuals in the EEA, or monitoring their behaviour, you need to appoint an ‘EU Representative’. An EU Representative acts as a direct contact between your organisation and the individuals whose data your organisation is processing, and also with the data protection supervisory authorities in the EEA.
Although it may be nicknamed a ‘hidden’ obligation by some, compliance with it is crucial. Supervisory authorities can impose a fine up to 2% of organisation’s annual turnover and have the power to suspend or prohibit data processing activities altogether. We are here to assist organisations that are looking into appointing an EU Representative, changing their current EU Representative or those which would like to expand their business to the EEA in 2022!
Unsure if this obligation applies to your organisation? Take our quick quiz to find out if you should have an EU Representative or get in touch. We’d be delighted to help!
- Appoint us as your UK Representative
The obligation to appoint a representative also remains in the UK GDPR. Therefore, organisations which are not established in the UK, but which are offering goods or services to individuals in the UK, or monitoring their behaviour, should have appointed a ‘UK Representative’ as of 1 January 2021 (or at any later date when they started processing the personal data of the data subjects in the UK).
The rules as to what can be considered ‘establishment’ in the UK are complex and we would suggest to always seek legal advice to consider your current position. Our sister law firm Willans LLP can assist you with this.
Take our free self assessment to see if you need a UK Representative, or get in touch and we can start your onboarding process today.
- Check if your contracts include new Standard Contractual Clauses (SCCs)
Last year brought changes to the use of Standard Contractual Clauses (SCCs) governing data transfers from the EU and EEA. In June 2021, the European Commission published two sets of new SCCs and provided organisations with a transitional period to implement these into both new and existing contracts which involve relevant data transfers.
What to do today?
- Check that all contracts entered into on or after 27 September 2021 incorporate the new form of SCCs;
- Identify existing contracts that will need to be updated prior 27 December 2022;
- Identify contracts reflecting the new scenarios accounted for by the SCCs to determine if they will need to be updated.
You can read more about the key features of the new SCCs as seen by the data privacy lawyers of our sister UK law firm Willans LLP here.
- Update your RoPA
An organisation’s RoPA is a Record of its Processing Activities involving personal data. The requirement to maintain RoPAs remains largely the same under UK GDPR as it was under EU GDPR. We would nevertheless advise you to check legislative references and pay attention to relevant sections of the DPA 2018.
What you should do today is to check whether you have updated them recently. According to the ICO, to meet their expectations your organisation should not only have RoPAs in place but also review and update them regularly. Our team of privacy lawyers at Willans LLP, our sister UK law firm, can assist if you are unsure whether your RoPAs are up to date.
- Check the agreements with your data processors
Whenever your organisation, as a controller, uses another organisation as a processor to process any personal data on its behalf, it needs to have a written agreement addressing both parties’ responsibilities and liabilities in place. The UK GDPR sets out what needs to be included in such contracts and we would suggest you take a look at the agreements your organisation has with its processors and see if any of them needs updating. Our sister law firm Willans LLP can assist you with this.
Under both EU and UK versions of GDPR, arrangements with data processors must be recorded in a written contract which must contain certain specific terms, even if those data processors are within the EEA/UK. Make sure that your data processing relationships are properly documented. Contact us today to help.
- Check whether you need a DPIA?
A Data Protection Impact Assessment (DPIA) is a necessary tool to help you identify and minimise potential data protection risks of a project. We believe the best practice is to carry out a DPIA for any major project for which the processing of individuals’ personal data is required. Nevertheless, you must carry out a DPIA for any project that will require processing of personal data that is likely to result in high risk to individuals. Now is the time to check that your organisation’s policies, processes and procedures include references to DPIA requirements, and your staff are trained to spot when a DPIA is required and can carry it out as well. If you need to carry out a DPIA and don’t know where to start or you would like to know more about your UK GDPR obligations, our sister law firm Willans LLP can assist you with this and more.
Whenever you are starting to process personal data in a new way, or are implementing new technology which involves personal data, you should consider what impact this might have on the data subjects and whether a DPIA is required. Contact us for help.
- Educate your staff
Have a privacy policy in place and ensure that your staff know what to do. Educate your employees as they will be the ones handling the data you keep and carrying out the activities covered by UK GDPR, EU GDPR and other data privacy legislation. You probably have internal policies in place but do your staff know them and, more importantly, follow them?
We trust this article has brought to light some very important data protection considerations for your organisation. If your organisation is in need of GDPR support, training or EU representative or UK representative services to comply with your data protection obligations, please get in contact with us. Our data protection experts offer businesses a free no-obligation consultation.
Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.
Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.
Contact us for all things concerning data protection.