The GDPR was touted as the gold standard for data protection in Europe. The huge fines for infringements stole headlines and businesses made their best efforts to be as GDPR compliant as possible, with many relying on the ICO’s leniency in the first 12 months of its implementation.
This leniency appears to be waning. Over the last 12 months, there has been a 39% increase in fines handed out by data protection authorities and a total of £235m has been levied in fines since the GDPR’s introduction.
Although the GDPR is an EU regulation and therefore no longer applies to the UK by virtue of Brexit, you will still need to comply with UK data protection law. In the short term this means effectively complying with the EU GDPR as it has been incorporated into UK law. However, with the UK’s freedom to change our data protection laws, longer term you will have to be aware of any changes in the UK data protection landscape, in particular if you process the personal data of EU citizens.
Keep calm and carry on for now
The worst fears of data protection experts, that the UK would, on exiting the EU on 1 January 2021, become a ‘third country’ overnight, did not materialise. The last-minute EU-UK Trade and Cooperation Agreement (TCA) added a transitional period for data transfers, but this transitional period is up at the end of June 2021.
This month the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. An adequacy decision is a formal decision made by the EU which recognises that another country provides an equivalent level of protection for personal data as in the EU. The draft decision does recognise the UK’s high data protection standards and that it should be found ‘adequate’.
If the EU publish their final decision before the end of June 2021, it will mean that, for now, business will continue as usual and you will need to comply with the GDPR. However, if you have been relying on the ICO’s initial grace period in relation to your GDPR compliance, you should consider tightening it up, as that grace period appears to be over.
In the event that the final decision is not issued in time, businesses who process the personal data of EU citizens should be prepared to enter into the standard contractual clauses (aka model contracts) in order to comply with the GDPR.
Privacy and Electronic Communications
Although the GDPR stole the headlines, it is not the only data protection laws of which you should be aware. Just this month the ICO has issued a monetary penalty notice of £60,000 to Just Hype Ltd for sending SMS marketing messages in breach of the Privacy and Electronic Communications Regulations 2003 (PECR).
The PECR sits alongside the GDPR and its rules apply and use the UK GDPR standard of consent. This means that if you send electronic marketing or use cookies or similar technologies, you must comply with both PECR and the UK GDPR.
There is, of course, overlap between the two; however, you need to be aware of the PECR as it applies even if you are not processing personal data.
How we can help
Data is the greatest asset that many businesses have, but if it’s personal data, it could also be their greatest risk. Whether you need advice on the GDPR, privacy policies, GDPR training or a GDPR audit, do ask for advice; we are well-placed to help.