Practical Law

Since the winter agenda, the UK and EU formally exited the transition period on 31 December 2020, the UK GDPR entered force in the UK, and the EU GDPR regime is now a separate and parallel system. Businesses that are involved in processing activity in both the UK and the EU need to be compliant with both regimes.

The impact of the UK’s complete withdrawal from the bloc is mostly keenly felt in terms of personal data transfers. Importantly the trade and co-operation agreement between the UK and the EU included a bridging mechanism for data transfers from the EU to the UK. This mechanism is set to apply until 30 April, extendable until there is an adequacy finding for the UK with a long stop date of 30 June. During this time, personal data transfers from the EU to the UK can continue without additional safeguards (see Practice note, Brexit post-transition period: data protection (UK): UK data protection law at end of the transition period: summary).

Further information can be found in Practice note, Brexit post-transition period: data protection (UK): UK as a third country and bridging mechanism for transfers from the EU.

Promising noises have now emanated from the European Commission regarding an official finding of adequacy for the UK. If ratified, this should clear a path for the relatively seamless transfer of data between the UK and EU for the foreseeable future. For more information, see:

• Blog post, A step closer to free flow of data from the EU to the UK.
• Legal update, Draft GDPR and LED adequacy decisions start EC process on personal data flows from EU to UK.

Meanwhile, the fallout from Schrems II still hangs in the air, impacting data transfers outside the EEA (see Blog post, Personal data exports: looking at the draft EDPB recommendations and EC model clauses).

Practical Law editors have been carrying out a vast exercise to update Practical Law resources to reflect these substantial recent changes. For more information, see Data Protection: resources updated following end of Brexit transition period.

Winter 2020/2021

Aside from the end of the Brexit transition period, here are some of the key developments over the winter months:

• On 1 December, the EDPB published guidelines (4/2019) on data protection by design and by default.
• In mid-December,  the ICO published Binding Corporate Rules at the end of the transition period.
• On 17 December, the ICO published a data sharing code of practice and supplemented it with a set of resources available via a new data sharing information hub.
• On 18 December 2020, the ICO published a blog highlighting six key points organisations must consider before implementing algorithms for hiring purposes.
• On 14 January, the EDPB adopted guidelines 01/2021 on examples regarding data breach notification.
• On 22 January, the ICO published a statement announcing that it has resumed its investigation into real time bidding (RTB) and the adtech industry.
• On 17 February, the ICO published a data analytics toolkit designed to take organisations through key data protection points to consider from the outset of any project involving data analytics and personal data.
• On 2 March, the ICO published its initial findings from research into the preparedness of organisations to be compliant with the Children’s Code by 2 September 2021.
• On 18 March, the ICO published the final three reports from participants in the beta phase of its regulatory sandbox scheme.
• On 19 March, the ICO outlined plans to update its anonymisation and pseudonymisation guidance and is seeking initial feedback prior to starting formal consultations and publishing refreshed guidance.
• On 23 March, the ICO and Ofcom published an update to their joint action plan for tackling nuisance and scam calls for 2021/2022.
• On 24 March, the DCMS published the Cyber Security Breaches Survey 2021.

Looking ahead

A key date to look out for over the next two months is 30 April 2021 when the interim provision in the EU-UK trade and co-operation agreement for transmission of personal data to the UK ends. However, if no final adequacy decision has been reached by the EU in respect of the UK by this time, this period is likely to be extended for a further two months. See here.

New Practical Law content

Practical Law has published several new or updated resources over the winter:

• Practice note, Resources on Practical Law for those new to data protection law provides information on key materials on Practical Law Data Protection to help train those new to data protection law.
• Practice note, Appointing a representative in the EEA and the UK: FAQs sets out a list of FAQs on appointing representatives in the UK under the UK GDPR and appointing EU representatives in the EEA under the EU GDPR after the end of the UK-EU transition period.
• Video, Schrems II: impact on the EU standard contractual clauses provides an overview of the impact of the ECJ’s decision in Schrems II on the use of standard contractual clauses to transfer personal data outside of the EEA.
• Video, Penetration testing: protecting your business from hackers using a pen test gives an overview of penetration testing.
• Standard clauses, Data processing clauses (UK) is an updated set of data processing clauses designed to facilitate compliance with the UK GDPR and DPA 2018.
• Article, BA, Marriott and Ticketmaster: an analysis of the issues and questions arising from the headline ICO fines of 2020 and accompanying Blog post, BA, Marriott, Ticketmaster, Amazon, Google… What’s the score with 2020’s big data protection fines?
• Article, Practical Law Data Protection: what to expect in 2021 summarises the main developments that will affect data protection practitioners in England and Wales in 2021 and beyond.
• Article, Data protection officers: a many-faceted role discusses the function of the data protection officer in ensuring data protection compliance and best practice.
• Article, Disclosure and personal data: employees’ personal devices reports on the recent Court of Appeal case in which the court held the High Court had jurisdiction to order defendants to request the voluntary disclosure of their employees’ and former employees’ personal devices and emails stored on them.
• Blog posts, What can we make of the Portuguese presidency’s new draft of the ePrivacy Regulation? and ePrivacy Regulation: path cleared for talks with the European Parliament on the new draft of the ePrivacy Regulation.
• Designing a global document and records management programme: checklist sets out the issues for organisations to consider when looking to create, amend or redesign all or part of a global document and records management programme.
• Document and records management training: presentation materials can be used to deliver document management or records management training to members of your workforce who are new to, or do not have specialist knowledge of this topic.