REUTERS | Mark Blinch

Privacy and cybersecurity: Spring agenda 2021

Since the winter agenda, the UK and EU formally exited the transition period on 31 December 2020, the UK GDPR entered force in the UK, and the EU GDPR regime is now a separate and parallel system. Businesses that are involved in processing activity in both the UK and the EU need to be compliant with both regimes.

The impact of the UK’s complete withdrawal from the bloc is mostly keenly felt in terms of personal data transfers. Importantly the trade and co-operation agreement between the UK and the EU included a bridging mechanism for data transfers from the EU to the UK. This mechanism is set to apply until 30 April, extendable until there is an adequacy finding for the UK with a long stop date of 30 June. During this time, personal data transfers from the EU to the UK can continue without additional safeguards (see Practice note, Brexit post-transition period: data protection (UK): UK data protection law at end of the transition period: summary).

Further information can be found in Practice note, Brexit post-transition period: data protection (UK): UK as a third country and bridging mechanism for transfers from the EU.

Promising noises have now emanated from the European Commission regarding an official finding of adequacy for the UK. If ratified, this should clear a path for the relatively seamless transfer of data between the UK and EU for the foreseeable future. For more information, see:

Meanwhile, the fallout from Schrems II still hangs in the air, impacting data transfers outside the EEA (see Blog post, Personal data exports: looking at the draft EDPB recommendations and EC model clauses).

Practical Law editors have been carrying out a vast exercise to update Practical Law resources to reflect these substantial recent changes. For more information, see Data Protection: resources updated following end of Brexit transition period.

Winter 2020/2021

Aside from the end of the Brexit transition period, here are some of the key developments over the winter months:

  • On 1 December, the EDPB published guidelines (4/2019) on data protection by design and by default.
  • In mid-December,  the ICO published Binding Corporate Rules at the end of the transition period.
  • On 17 December, the ICO published a data sharing code of practice and supplemented it with a set of resources available via a new data sharing information hub.
  • On 18 December 2020, the ICO published a blog highlighting six key points organisations must consider before implementing algorithms for hiring purposes.
  • On 14 January, the EDPB adopted guidelines 01/2021 on examples regarding data breach notification.
  • On 22 January, the ICO published a statement announcing that it has resumed its investigation into real time bidding (RTB) and the adtech industry.
  • On 17 February, the ICO published a data analytics toolkit designed to take organisations through key data protection points to consider from the outset of any project involving data analytics and personal data.
  • On 2 March, the ICO published its initial findings from research into the preparedness of organisations to be compliant with the Children’s Code by 2 September 2021.
  • On 18 March, the ICO published the final three reports from participants in the beta phase of its regulatory sandbox scheme.
  • On 19 March, the ICO outlined plans to update its anonymisation and pseudonymisation guidance and is seeking initial feedback prior to starting formal consultations and publishing refreshed guidance.
  • On 23 March, the ICO and Ofcom published an update to their joint action plan for tackling nuisance and scam calls for 2021/2022.
  • On 24 March, the DCMS published the Cyber Security Breaches Survey 2021.

Looking ahead

A key date to look out for over the next two months is 30 April 2021 when the interim provision in the EU-UK trade and co-operation agreement for transmission of personal data to the UK ends. However, if no final adequacy decision has been reached by the EU in respect of the UK by this time, this period is likely to be extended for a further two months. See here.

New Practical Law content

Practical Law has published several new or updated resources over the winter:

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: