As part of our In-House with You monthly Q&A series, Georgia Shriane and Daniel De Saulles of our Commercial team spoke about the development of data protection over the past five years (since GDPR and following Brexit) and how data protection law is now applied in the UK. The slides can be accessed, here.
They answer some of your key questions from the session below:
I’m moving over to a sole counsel role soon. Any tips on where to start from a data protection audit perspective?
Set up a questionnaire to send out to different departments. What we really need to hear is what data is coming into them and what’s going out. Once each department has told you their part, do a big mind map with all the data compartments and where they go; identify data processing and where the risks lie. International transfers also need attention – ensure you’ve got the right processing in place.
Why has the ICO changed its name and what does this mean?
It’s all around creating a truly independent body – which will soon be changing again to ‘Information Commission’ – where there is more option to influence code of conduct. However, time will tell on what this means on a practical level.
In your experience, what constitutes malice (for ICO?) For example, would unsuccessful interview candidates/unfounded allegations (criminal offences) be sufficient where this person has a history of doing so?
This needs a case-by-case approach where you have to make an objective and justified decision. For this scenario – if they keep asking for the data, what is the purpose? Is it because they didn’t get the job or is it because the business holds a lot of data about them?
However, there is a right to ask for data and any business would be brave to push back on the first request. You can’t just say no without there being good reason; you can ask for them to be more specific and if there are repeat requests, than then ventures into unreasonable.
What is a ‘senior responsible individual’ (SRI) and will a data protection officer (DPO) still be needed?
There is no ongoing need to appoint a DPO but you do need an SRI if there’s high-risk e.g. public body or high-risk processing involved.
Will the new Data Protection and Digital Information Bill help or hinder the UK’s long-term adequacy decision?
The EU-UK adequacy decision is scheduled for review in 2024, so the UK government will be mindful of this and the aim is to of course maintain the adequacy decision, which (to recap) is a formal recognition that a certain country or territory offers an adequate level of data protection to the EU GDPR.
That said, the UK has stated its desire to affect the free flow of data between the UK and the EEA for UK businesses, rather than being bogged down over the current administrative burdens of compliance using alternative mechanisms such as standard contractual clauses and the IDTA, so proof will be in pudding. Businesses will be eagerly anticipating!
If working with humanitarian bodies – where the activity in question is more important to the business than complying with the UK GPDR, how should that risk be owned?
This is a really interesting point. Humanitarian bodies aren’t under any law, and it’s of course more important to get support for people in war zones than signing up to a 70-page document. So, what is the best way to explain this? Well, you could look to derogations, look at public interest and vital interest as a justification for it.