Since a no-deal Brexit is starting to look more and more likely, the government recently released additional guidance to supplement the ICO’s (Information Commissioner’s Office) previous description of the future data protection regime. The government has stated that it will permit data to flow from the UK to EEA (European Economic Area) countries, but organisations that have data flowing from the EEA to the UK will be more restricted.
The guidance states: “The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same. To ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State the Government will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.”
As a result, the ICO recently issued a statement to recommend standard contractual clauses for all transfers of personal data to non-EEA countries. Organisations that rely on binding corporate rules will receive further information from the ICO in due course.
In addition, the government has issued a statement about plans that will be issued in the next few weeks around changes to the implications of the GDPR and the Data Protection Act 2018.
The new regulations and detailed guidance will:
- Preserve the GDPR in local law;
- Confirm that the UK will transitionally recognise all EEA countries and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
- Preserve the effect of existing EU adequacy decisions, including the EU–US Privacy Shield, on a transitional basis;
- Preserve EU standard contractual clauses and binding corporate rules authorised before Exit day;
- Maintain the extraterritorial scope of the UK data protection framework; and
- Require non-UK controllers that are subject to the UK data protection framework to appoint a representative in the UK if they are processing UK data on a large scale.
Moreover, the ICO has advised organisations that have not appointed it as their lead supervisory authority to review the structure of their EU operations and assess whether they will continue to be able to have a lead authority and benefit from the one-stop-shop mechanism.
Organisations will have to deal with both the ICO and the supervisory authority in the other EEA state where they are established, according to the ICO. The ICO says that “organisations should consider now which other EU and EEA supervisory authority will become lead authority on Exit date (if any) and approach them closer to the exit date […] On Exit, the ICO will not be a supervisory authority for the purposes of the EU GDPR and so will not be an EDPB member.”
Keep control of your GDPR compliance – introducing GDPR Manager
In early February Vigilant Software will release GDPR Manager – your four-in-one compliance solution, where you can manage all your GDPR activities with one tool.
GDPR Manager combines four GDPR compliance modules. The tool enables users to assess their data protection practices and manage some of the more arduous elements of GDPR compliance, such as recording and reporting data breaches, handling SARs (subject access requests) and determining whether third parties have suitable measures in place to protect personal data.
The four modules are:
- Breach Report – Keep a record of all breaches and incidents that occur.
- SAR – Keep a record of all SARs received.
- Gap Analysis – Easily identify where action is required to protect personal data and comply with the GDPR.
- Third Party Management – Keep track of the processors and controllers that your organisation works with to process personal data.
To register your interest before the launch, please click below:
With GDPR Manager, work is saved in a central location, making maintaining and updating documentation simple. The more of your GDPR compliance activities you can do on a single platform, the better – in terms of consistency of approach, time spent on user management, cost-effectiveness, etc.
Find out more
To learn more about our range of tools and continually update your cyber compliance strategy, watch our short introductory videos: vsRisk Cloud, the Data Flow Mapping Tool, the DPIA Tool and Compliance Manager.
To request a free seven-day trial of any of our tools, please click here.