Data protection in the event of a no-deal Brexit

If the UK exits the EU on 31st October 2019, it would technically mean that all data transfers between the EU and the UK must cease with immediate effect come midnight on that date. This would be the case until one of the following three mechanisms available for transferring data to countries, which are not considered to offer adequate protection of individuals’ data, has been put in place:

1. Binding Corporate Rules

These rules are suitable for large multinational corporations as these cover intra-organisational data transfers of personal data across borders.

2. Derogations

Derogations (an exemption from or relaxing of the law) should be applied restrictively and are only suited to processing, which is occasional and non-repetitive.

3. Standard Data Protection Clauses

For most small to medium-sized companies, these clauses are likely to be the preferable, or indeed only, option for ensuring that data can continue to flow between the UK and the remaining EU member states. However, it is important to note that these must not be modified and must be signed as provided. While they can be added to a wider contract, or have additional clauses added to them, care must be taken to ensure the standard clauses are not contradicted. Another key element to highlight is that these clauses will always be governed by the laws of the Member State in which the EU-based party is based.

When considering what steps to take in order to keep making international transfers of data, it is worth assessing current relationships with other parties. Is your company the controller of the data transfers, or the processor? Ultimately, the onus to ensure the transfer is legally permissible is with the controller. Having said that, Goodwille strongly recommends clients to adopt a proactive approach. It may be appropriate for a processor to be the driving force behind putting one of the three above-discussed mechanisms in place. This should be done by the 31st October 2019, regardless of the outcome of the Brexit negotiations.

Do you have any questions about how a no-deal Brexit might affect your business’s data protection and how you ought to prepare? Do not hesitate to contact us – we’d be happy to answer any questions you may have.

This update is for general guidance only. Specific legal advice should be obtained in all cases. This material is the copyright of Goodwille Limited (unless otherwise stipulated) and is not to be reproduced in whole or in part without prior written consent.

Our guide to become GDPR compliant

As advisors supporting businesses in the UK, we would like to inform you of the new Data Protection legislation, the EU General Data Protection Regulation (GDPR), and its related implications for your business. We want to ensure that you are aware of the new legislation, what measures your company have to take in order to comply with the regulation, and how Goodwille can assist you in becoming GDPR compliant. This guide provides an overview of the new regulation, and what you can do to ensure you and your business are prepared for the changes to existing legislation.

The GDPR is enforced on 25 May 2018, replacing the existing EU Data Protection Directive. The regulation significantly increases the obligations and responsibilities for businesses in how they gather, use and protect personal data. At the same time it strengthens European citizens’ data privacy and right to access their personal data by setting out additional and more clearly defined rights for individuals whose personal data is stored by businesses.

Below are some of the main considerations on how to prepare to become a GDPR compliant organisation:

Identify problem areas in your business by reviewing and enhancing your organisation’s risk processes

This can be done by making an inventory of all personal data the business holds, why the business holds it, if it is still needed, and if the data is safely stored.

Communicate with your clients and employees

You will need to ensure that your clients and employees are fully informed about how their data is used and that your company has procedures in place cover all the rights individuals are entitled to, e.g. the right to access their data or have it erased from your systems.

Data subject access request

Every individual has the right to make a data subject access request. This means that the individual has the right to obtain all the personal information your company stores about the individual within one month from the date the request was made. You will need to ensure that you have measures in place to deal with any such request within one month’s time.

Consent to store individuals’ data

An individual’s expressed consent has to be freely given for a company to be allowed to gather and store any personal data. Note that an individual cannot be forced into consent or be unaware that they are consenting to their data being stored e.g. through pre-ticked boxes, but the consent has to be actively given by the individual.

It is essential that your business is mindful of data privacy in all ongoing and future projects, as you will face heavy fines if not. The GDPR is based on the one stop shop mechanism signifying that organisations engaged in cross-border processing of personal data will deal with a single lead supervisory authority. Your company’s lead supervisory authority will be the authority of the country in which your business has its main establishment.

To ensure that your business is compliant before 25 May, it’s time to put a GDPR policy in place or draft board minutes to show that your company is working towards becoming GDPR compliant. Goodwille are happy to provide you with further guidance on the GDPR, help set up a company policy or draft board minutes containing information on how your company is working towards complying with the regulation. Get in touch with our Corporate Legal team today for assistance or if you have any questions. This article also provides a good foundation for understanding the GDPR and its implications for your business.

GDPR and your business

Any business looking to set up a subsidiary in the UK, or anywhere in the EU, will have to have at least a basic understanding of the General Data Protection Regulation (or GDPR). The Regulation is the biggest shake-up of individual rights to their personal data of the Internet age and will have a major impact on how data is stored and shared within and without the EU.

What has changed?

From May 25 2018, the regulations change to unite all local privacy laws across the EU – changing the definition of what constitutes personal information to include names, photos, email addresses, and even a computer’s IP address. This applies across a person’s whole life, there is no distinction between a personal email and a work email, for example.

The new rules also introduce new rights for consumers, including the right to be forgotten, the right to know what data is held, the right to object to receiving marketing and the right to have information about them corrected. This means that explicit consent must be received from the consumer for each use of their data before it happens, meaning separate consents are needed for different activities.

What does it mean for my business?

It is vital that businesses comply with the new regulations, with tough penalties in place for non-compliance, up to a 4% fine of global revenue. This applies even to non-EU companies who hold the data of EU citizens, or EU companies who process data outside the Union. While it is a good idea to appoint someone to oversee the transition to the GDPR rules and ensure compliance, it is more than just an IT issue. Sales and Marketing are two of the areas most directly affected.

The most important measures to take are to ensure that you have procedures for properly obtaining the right consents from customers, a policy on what data is kept, where and why, storing the data securely, ensuring that old data is deleted and ensuring there is a procedure for deleting or amending data when requested.

While most of these needs are just good housekeeping anyway, they will soon be enforceable by law. It is very important that all businesses not only understand what GDPR means, but that they also have a plan to transition. Our team of legal experts can help you with guidance and answer any questions you may have about GDPR and how it can affect your business. Get in touch with us today!