Monthly Archives: September 2019

legitimate interests and consent

GDPR. Legitimate Interests and Consent.

In this blog, we’ll discuss the pros and cons of legitimate interests and consent. It can be tricky working out the lawful basis (or bases) with which the data processing activities of your organisation are best defined and justified. They will vary across different business areas and between – and even within – industries.  Legitimate interests and consent tend to be most relevant to the private and third sectors and have become the subject of much discussion among marketing and other data-centric professionals.

But first, a bit of context. The General Data Protection Regulation (GDPR) provides six lawful bases for processing, a couple of which are fairly straightforward to understand. For instance, legal obligation is an obvious lawful basis in some circumstances, such as processing accident information for a report to comply with Health & Safety regulations. Almost all professionals will have some experience with this lawful basis of processing. But what about legitimate interests and consent? These have very specific requirements under the GDPR, and it’s important to be familiar with them.

What are the Legal Bases?

The six lawful bases under the GDPR are as follows:

  • Consent:  the individual (data subject) has provided clear, positive consent for you to process their personal data for a specific purpose.
  • Contract:  the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation:  the processing is necessary for legal compliance (other than contractual obligations).
  • Vital interests:  the processing is necessary to protect someone’s life.
  • Public task:  the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests:  the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

These are not hierarchical.  You must select the single most appropriate legal basis for the activity and purpose for which you are conducting the processing. There are simple steps you can take to help you decide between legitimate interests and consent.

When and How do I Use Legitimate Interests?

Article 6 of the GDPR grants legitimate interests as a lawful basis if the processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interests is widely used for marketing and some areas of HR.

So how do we know if this is the case? Well there’s a three-step test, which has been approved by the Information Commissioners Office (ICO) summarised below.  This is known as a Legitimate Interests Assessment (LIA).

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is this processing necessary? Crucially, could this legitimate interest be pursued without the processing of personal data?
  3. Balancing test: do the individual’s rights override the organisation’s legitimate interests?

It’s important to have these LIAs established and documented prior to any processing. But if you think your organisation could use genuine legitimate interests, here are some benefits:

  • It is the most flexible lawful basis for processing. There are a wide range of legitimate interests, including commercial.
  • Going through an LIA is always useful: you may find ways of streamlining your data processing to what is strictly necessary and limiting your privacy impact.
  • You don’t need to be disruptive or pestering to a data subject with a consent request to which no one would reasonably object.
  • It can also be used for some routine internal processes such as HR.

When and How May I use Consent?

More and more people will be aware of the GDPR’s tightening of the consent definition, but here’s a quick recap: consent is a lawful basis for data processing if…

“The data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

It is the specificity of the purpose for which a data subject’s information is being processed that’s important to remember. Consent must be informed, which means you must tell the individual what data you are collecting, the reason why, and what you will do with it.  Evidence of consent must be captured. And remember, data subjects may withdraw consent at any time they wish.

Some other benefits of using consent include:

  • It’s a very strong, unambiguous ground for processing. You asked, and they said yes. As long as you have evidence, it is difficult to argue with.
  • Consumers, in certain contexts, may trust you more for having asked, and may appreciate your concern for data protection rights.
  • It allows individuals to understand and engage with how their own data is being used, fostering a mutual respect for data rights.

If you have any questions about the legal basis for processing, including LIAs or Consent requirements, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 29th September 2019

 

Brexit. 35 days to go … and stormy times at Westminster

Well nobody saw that coming! On Tuesday, as storm clouds descended on Westminster, the Supreme Court delivered its own thunderbolt.  In a unanimous decision, all 11 Supreme Court Justices ruled that, in the circumstances, it was unlawful for the Government to advise the Queen to prorogue Parliament. The suspension of Parliament was void and the session should resume as soon as possible. In effect the Court overruled the legal basis for the prorogation.

Parliament duly resumed on Wednesday morning with renewed antagonism (even toxicity) on all sides of the political and Brexit divide.    

In the opening exchanges Government made it clear that it accepted the ruling of the Court. Nevertheless, Ministers, including the Attorney General, Geoffrey Cox, made it clear that they profoundly disagreed with the ruling.   The Attorney General stated he is “considering” releasing his original advice to Government on prorogation. It will be interesting to see the legal basis for his advice.

Still the Brexit clock is ticking…

Parliament will now resume work on the legislative programme of Bills that had been put aside when prorogation was announced. Meanwhile all the work on a revised Withdrawal Agreement with the EU is taking place elsewhere as the shuttle-diplomacy between London and other EU capitals continues.

New deadline?

One piece of legislation that did pass in the brief period between the end of summer recess and the “prorogation that never was” has introduced a new deadline.  The European Union (Withdrawal) (No.2) Act focuses attention on 19th October, a full two weeks before the Hallowe’en witching hour.   

This Act – more commonly referred to as the “Benn Act” and more recently, by the Prime Minister himself, as the “Surrender Bill” – requires Parliament to pass a new Brexit Withdrawal Agreement by the 19th October deadline.  If a Withdrawal Agreement has not been passed with a Parliamentary majority by 19th the law demands that the Government writes to the EU Commission to request a further extension to EU membership.  A draft of letter is included within the Act.

Clearly the provisions of the Act fly in the face of the PM’s commitment to leave the EU, with or without a deal, by 31st October or “die in a ditch”.  When asked directly if he would comply with the Act if he cannot secure a Withdrawal Agreement by 19th October, he answered with a single word. A categoric “No”.

If it turns out that the Prime Minister refuses to obey the provisions of the new Act, the legal basis for his decision will surely be challenged.  But that is a legal challenge that is yet to come…

Deal or No Deal the Data Protection Act & GDPR will apply

Last week we talked about the legal basis for processing personal data. Businesses are concerned about the free flow of personal data.  This will still be possible so long as there is a valid legal basis for processing such as ‘for the performance of a contract’. Contracts, data processing, and data sharing agreements must be up to date including, where applicable, the so-called standard contract clauses.  These are also known as the EU Model Clauses.

Legitimate Interests Processing

Another legal basis is Legitimate Interests which can be the most flexible legal grounds for companies to use.  However, it cannot be assumed that it will always be the most appropriate. In business it’s sometimes used instead of Consent for example certain forms of direct marketing, web analytics or routine internal activities such as HR.

As with all aspects of data protection compliance the rights of the individual and the security of the data are paramount and should be built into any processing operation.  This is known as Privacy by Design and Default.

Legitimate Interests Assessment (LIA)

As part of ‘Privacy by Design and Default’, it is essential to assess the impact of any processing on the individuals concerned.  So the scope, purpose and security of the processing must be considered before using Legitimate Interests as a legal basis for processing personal data. This can be achieved by conducting a legitimate interests assessment, which consists of:

  1. Establishing a use case which identifies the legitimate interest
  2. Conducting a necessity test – is the processing really needed/is there an alternative
  3. Conducting a balancing test – this will help to identify the impact of your processing and whether this overrides the interest you have identified
  4. Safeguards – having adequate technical and organisational safeguards in place to protect the confidentiality and integrity of the data

It is advisable to use a LIA Framework or template for this purpose and seek the advice of a data protection officer or advisor who has the expertise to guide you through this process.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 27th September 2019

European Council Presidency gets closer to finalising the ePrivacy Regulation

On the 18th September, the Presidency of the European Council published its proposed amendments to the draft ePrivacy Regulation which will replace the current ePrivacy Directive framework. With the new regulation in place, the EU’s framework for data protection and confidentiality of electronic communications will be complete.

ePrivacy and GDPR

How is the ePrivacy Directive and its forthcoming replacement separate to the General Data Protection Regulation (GDPR) and any other privacy regulations? Well, the Directive uses the same legal definitions of privacy and data that were brought in by the GDPR, but it attempts to make coherent legal protocols across Member States for phenomena such as unsolicited marketing and confidentiality breaches or other forms of potentially harmful electronic communication outside the personal information purview of the GDPR. In the UK, the ePrivacy Directive is implemented by the Privacy and Electronic Communications Regulations (PECR), which operates alongside the Data Protection Act 2018 (which is itself derived from the GDPR).

Draft ePrivacy Regulation

Currently provides:

  • Rules for ‘spam’ or unsolicited marketing

Unsolicited commercial communications via electronic media are prohibited under the ePrivacy Directive, unless the recipient has prior informed consent. Consent is not required, however, to send commercial emails to existing customers to advertise similar services or products (although each communication must include an opt-out option).

  • Tougher rules for the use of cookies and tags

The new rules for cookies and online identifiers in the Regulation will be tougher than the incumbent ePrivacy Directive. The Regulation now recognises the ‘storing or processing capabilities of the device,’ not just the storage and retrieval of data. This means that specific scripts and tags, currently unrecognised by the Directive’s cookie rules, will be referred to in the Regulation. Cookies usually require consent but there some exemptions, for instance in (certain forms of) analytics, essential software updates and security.

  • Secrecy requirements for ‘machine-to-machine’ and ‘Internet of Things’ communications

The Regulation attempts to differentiate between secrecy requirements on:

  • electronic communications content;
  • electronic communications metadata (data that provides information about other data); and
  • electronic communications data (common rules for both content and metadata).

Peoples’ electronic communications are generally protected by a right to secrecy, although rules may differ slightly between these categories. For instance, the Regulation finds that processing metadata is permissible for the purposes of:

  • network management,
  • network optimisation,
  • or statistics.

These rules don’t just apply to human interaction, they also apply to M2M (machine-to-machine) communication processing. The European Council Presidency’s recent amendments to the draft legislation particularly concerned the secrecy requirements for the metadata communications.

On the 24th September, the amended draft will be further discussed by the Council’s Working Party on Telecommunications and Information Society.

If you have any questions about ePrivacy and GDPR regulations, please contact us via email team@datacompliant.co.uk or call 01787 277742

Harry Smithson, 22nd September 2019

42 days and counting….

With the countdown to Brexit clock still ticking it seems that all has gone (relatively) quiet on the Brexit front. Parliament is not sitting and won’t be back until 14th October but this has not stopped politicians and commentators on all sides of the debate from re-iterating their deeply-held positions.   

Behind the scenes, it is reported, there is a great deal of shuttle-diplomacy taking place. Both the Prime Minister and his chief negotiator, David Frost, have become frequent passengers on the Eurostar as they dash between London, Brussels and the other capitals of Europe.  Yet the details of the discussions are still far from clear.

The “non-paper”

On Thursday it emerged that apparently the Government has issued a ”non-paper” to the EU outlining some thoughts on how an acceptable Brexit deal can be achieved.  “Non paper” is a particularly bizarre EU concept for written proposals that have no formal status. At the risk of sounding like something from Alice through the Looking Glass, it is a paper that is not a ”paper”. 

The details contained in the non-paper are unlikely to be officially released. But, if past experience is anything to go by, non-papers tend to see the light of day through unofficial and unattributable leaks.

The Law’s Delay

With little information to go on it is perhaps unsurprising that attention has turned to the other burning issue in UK politics – the judgement of the Supreme Court on the legality of the decision to prorogue Parliament.   Whilst this is not a Brexit issue in itself, the plaintiffs in the two cases before the Court clearly suspect that Parliament was suspended in order to prevent scrutiny of the Brexit negotiations. 

At the time of writing the judges are still out and the judgement is yet to be issued. Whatever the decision it is clearly going to have an impact on the course of the Brexit countdown. 

With attention focussed on legal matters it is perhaps worthwhile spending a little time looking at an often misunderstood aspect of data protection law, specifically the legal basis for processing data. 

On what legal basis can companies process personal data?

The collection and processing of personal data must be first and foremost be lawful under the GDPR and Data Protection Act 2018.  There are six legal grounds for processing and one of them MUST apply.  They are summarised below in no particular order:

  • Consent – a person must have given their consent for one or more specific purpose(s) (e.g. for consumer electronic marketing purposes)
  • Contract – the processing is necessary for the performance of a contract to which a data subject is a party or has requested before entering into a contract (e.g. for employee, client or third-party contracts)
  • Legal obligation – for compliance with a legal obligation such as HMRC
  • Vital interests – processing is necessary to protect a data subject or another person (e.g. medical records in the case of an accident)
  • Legitimate interests – where data processing is necessary for the purposes of the legitimate interests of the data controller, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual (a Legitimate Interests Assessment must take place e.g. for some direct marketing purposes)
  • Public interest – for a task carried out in the public interest or in the exercise of official authority vested in the controller

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 20th September 2019

Data Breaches in Cloud Computing

The cloud computing economy is expected to grow to $191 billion by 2020, an increase of $100 billion in five years, according to the analysts at Forrester. After Monday’s mega-leak, Ecuadorians may be a little hesitant to embrace this secular shift to cloud computing.

The advantages of this system for storage and productivity are well-documented, but cloud computer servers come with several serious security risks.

High-profile breaches of cloud platforms at Evernote, Adobe, Slack and LastPass over the last few years have led to extra scrutiny of cloud computing from a security perspective, as these online databases are more and more relied upon for storing sensitive data.

Outrage over cloud platform Ecuador personal and financial data leak

This massive data breach was made possible by a vulnerability on an unsecured AWS Elasticsearch server.  It was discovered on 16th September and caused outrage throughout the Andean state.

Roughly twenty million people, including 6.7mn children, were affected, comprising nearly the entire population. Even the President of Ecuador was affected, as well as Julian Assange, who was given a ‘cedula,’ or national ID number, during his stay at the Ecuadorean embassy in London.

Collectively, the information was described by one journalist “as valuable as gold in the hands of criminal gangs.”

The scale and detail of the 18GB cache of personal information exposed by the leaky server was such that the researchers were actually able to reconstruct entire family trees.

The types of personal and confidential information available on the database included:

  • names;
  • national ID numbers;
  • DOBs;
  • places of birth;
  • home addresses;
  • genders;
  • phone numbers;
  • family and marriage records;
  • education and work records;
  • financial information including tax records.

It is not known whether any agents took advantage of the leaky server before it was plugged by the Ecuador’s computer emergency security team shortly after the discovery.

How did the breach happen?

A local data analytics company, Novaestrat held vast amounts of Ecuadorian data on an Elasticsearch server, which had no password protection, allowing anyone access. 

Though there is no evidence that the government’s database was hacked or breached by Novaestrat, these revelations led to the swift arrest of the company’s executive, and a full investigation over how the company possessed the data it held.

Novaestrat was awarded several government contracts by the former political regime, so it is likely that these were reason the company gained access to the personal data.

Plans for Data Protection Law

This breach has caused the Ecuador’s Ministry of Telecommunications to speed up the process of passing a new data privacy law.  This is intended to match rising international standards of data protection (for example, the GDPR).

Why Data Retention and Deletion Schedules are vital

There is a clear lesson here, both to data controllers and data processors.  You must make sure, whether you are a data controller or a data processor, that you have robust data retention and deletion schedules in place

Data controllers

Data Processors 

1. Make sure your data processors are legally obliged to delete the data

1. Ensure that you have procedures in place to enable you to meet the requirements of your data processor agreement

2. Demand evidence that the deletion has taken place

2. Ensure you have a robust mechanism for the destruction of the data

3. Exercise your audit rights

3. Be prepared to provide evidence of the destruction

a) Once the  purpose of the data sharing has been met and / or

4. Consider backup files as well as live

b) According to your own retention and deletion policies

  

  

If you have any questions about data retention and deletion policies or data processor agreement, please contact us via email team@datacompliant.co.uk or call 01787 277742

Operation Yellowhammer

Ornithology

What has Brexit to do with a small member of the bunting family? A bird that is migratory, apparently recognising no national boundaries. One that is found throughout Europe and thrives in its adopted homes in Australia and New Zealand.  So widespread is the Yellowhammer (Emberiza citronella) that it has been adopted as the state symbol of Alabama.

Clearly someone in Whitehall running the No Deal contingency planning is a keen birder. Or has a sense of humour.

Political Wrangling

In extraordinary scenes this week Parliament was prorogued until 15th October.  It is a move that is not without controversy and we shall see the judgement of the UK Supreme Court next week. 

One of the final acts of outgoing Parliament was to pass legislation compelling Government to publish the dossier on the potential consequences of a “No Deal” Brexit, a document bearing the codename “Operation Yellowhammer”.    

Extracts from the Yellowhammer report had been leaked and published in the Sunday Times a few weeks ago.  Following the publication of the extracts arguments raged about the age of the Yellowhammer document and whether or not it represented a “Worst Case” or “Base Case” planning scenario.

Wednesday evening saw the publication of a remarkably matter-of-fact 5-page Operation Yellowhammer document with the status “Official Sensitive”. The report is dated 2nd August and it apparently represents the Government’s “Reasonable Worst Case Planning Assumptions”. 

Implications for UK Companies receiving Personal Data from EU

Under the general heading “Key Planning Assumptions” are sections on the widely discussed impacts on HGVs entering the UK particularly at the Channel ports and disruption to the supply of fresh food and medicines.

Listed at Number 9 (of 20 assumptions) is the following:

“The EU will not have made a data decision with regard to the UK before exit.  This will disrupt the flow of personal data from the EU where an alternative legal basis for transfer is not in place. In no deal an adequacy assessment could take years.”

This is an important consideration for companies in their No Deal contingency planning. Under the No Deal outcome, the UK becomes a Third Country and would no longer be covered by EU ‘free flow of data’ rules. 

As the Yellowhammer report states the UK would need to apply for an adequacy decision to ease the flow of personal data from EU member states.  Typically, an adequacy assessment from the EU can take 2 years – sometimes longer.

To date the EU Commission has adopted 13 adequacy decisions with: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (for companies using the EU-US Privacy Shield or Swiss-US Privacy Shield). Most recently the EU agreed a reciprocal adequacy decision with Japan. South Korea started the process of applying for an adequacy decision from the Commission in 2015. The decision is still awaited. 

What to do?

The previous blog (“55 Days to Go”) covers the steps that UK companies need to take when handling data from EU member states.

Privacy Notices

Companies must also review and update Privacy Notices to include amongst other items:

  • The legal basis for processing personal data
  • Collection and use of personal data for direct marketing, analytics, research purposes – where applicable
  • Collection of HR personal data
  • Transfers of personal data outside the EEA and the transfer mechanisms in place to govern those transfers

What Next?

An update on the August version of the Yellowhammer report which will include the current contingency plans in the case of a No Deal Brexit has been promised. It will be interesting to see if any progress has been made on the status off data flows in recent weeks.

Meanwhile the Government continues to insist its preferred outcome from the Brexit negotiations is a deal with the EU.  If a deal is secured it may be that the current flows of personal data to and from the EU are not materially affected.

Watch this space.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 12th September 2019

Data sharing under GDPR: What you need to know

In this blog, we’re going to explain how the DPA, UK GDPR and EU GDPR affect the way you process and share personal data. First, here’s a quick intro to the terms by which people are labelled in their relation to data protection law:

  • Data controller: a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Data subject: an individual to whom data relates in the context of data protection law; an individual with data protection rights.

Processing

Before you can think about sharing data in the first place, you need to ensure that any data you have (and potentially may wish to share) has been processed and stored lawfully.  The DPA and GDPR apply only to personal data, which is defined as ‘any information relating to an identified or identifiable natural person,’ i.e. a data subject.

Not all of the data you obtain will count as personal data. If data sets are anonymised and an individual can no longer be identified, then the GDPR will not apply, since the information no longer constitutes personal data.

Six Principles

The regulation defines six principles that must be followed when processing personal data. All personal data must:

  1. be processed lawfully, fairly and transparently
  2. be kept to the original purpose
  3. be minimised (i.e. only the personal data that is necessary is collected)
  4. have the accuracy upheld
  5. be removed if they are not necessary
  6. be kept confidential and their integrity maintained

Legal Basis for processing

You will also need to have a legal basis for processing personal data, of which there are six possible grounds.  These are not hierarchical – you use the legal basis that is appropriate.

  1. consent of the data subject
  2. necessary for the performance of a contract
  3. legal obligation placed upon controller
  4. necessary to protect the vital interests of the data subject
  5. carried out in the public interest or is in the exercise of official authority
  6. legitimate interest pursued by controller

The grounds for processing cannot be retroactively adjusted or changed, i.e. you cannot choose to justify the processing or sharing of data in a different way after having done so. Data protection policies must be consistent and trustworthy, regardless of who you are.

Basic things to remember when sharing personal data

Restrictions apply to sharing personal data and therefore not anonymised or pseudonymised data. The latter is often used in healthcare notes, for example.  But remember, the pseudonymisation key itself is personal data.

With whom may I share personal data

Examples of sharing personal data include sharing with:

  • a joint data controller (for joint purposes).
  • another data controller (a third party for their own use).
  • a data processor engaged to store or use data for you (for your purposes)

Before sharing personal data, you must ensure:

  • there is a good reason for the sharing to take place 
  • the individuals have been clearly informed that their personal data is being shared, and the details of the sharing, including:
    • the details of the data to be shared
    • with whom it is to be shared
    • the purpose of the sharing
    • the legal basis for the sharing
    • for how long the data will be held
    • the mechanism by which they can give consent / opt out
  • the volume of personal data that needs to be shared is minimised.
  • the availability of the information is also minimised, or the shared data exists for the minimum time
  • any parties processing the data must therefore have clearly stated retention and deletion policies.
  • the sharing is secure.
  • the sharing is documented.

Contracts and Agreements

Where contracts or other data sharing agreements are required, it is wise to have a data sharing agreement in a framework which can be customised to suit your business needs. A Data Protection Officer (DPO)  can help your team create the appropriate frameworks, and develop bespoke data sharing agreements.

If you are sharing to a country outside the UK or EU that has not been declared ‘adequate’ by the EU Commission, then the new EU standard contractual clauses should normally be used, with supplementary measures.  These were updated in 2021 to meet the needs of the EU GDPR.  The UK has also issued a new “Addendum” enable these SCCs to be used for international transfers from the UK.

Each data sharing process must be considered on a case by case basis.  If in doubt consult your DPO and / or a specialist data protection lawyer.  And remember, it is important to stay up-to-date by following the latest guidance from a DPO and the relevant data protection authorities (the Information Commissioner’s Office for the UK).

Brexit: 55 Days to Go, or is it?

It has been a momentous week for UK politics. With Parliament back from the summer recess MPs moved to seize the Order Paper from Government. There then followed an audacious move to legislate against a “No Deal” Brexit, a move which would hamstring the Government’s Brexit negotiation strategy. The Government’s strenuous attempts to prevent the passage of legislation to take the “No Deal” option out of the equation led to the withdrawal of the whip (in effect the suspension) of 21 Conservative MPs.  The legislation that would prevent a No Deal outcome will return to Parliament early next week.  It remains to be seen whether the legislation achieves Royal Assent and is written into law.

In the meantime, the plan to prorogue Parliament for five weeks ahead of the Brexit deadline moved on apace despite a number of legal challenges.

Elsewhere 

This week also saw the Prime Minister’s own brother, Jo Johnson, resign as Universities Minister registering his objection to the direction of the Brexit negotiations which he viewed as no longer in the national interest. 

On a happier note Downing Street announced the arrival of a new resident as the Prime Minister and his partner unveiled Dilyn their new puppy.

The Prime Minister is keen to reinforce his Government’s resolve to achieve Brexit, with or without a deal by the 31st October deadline. But despite his vigorous defence of this policy it remains unclear whether this will be achieved.

Implications for businesses

Amongst all this political turmoil it is difficult for businesses to plan ahead especially if the business model includes data transfers to or from EEA companies.

In the case of a No Deal Brexit on the date of departure the UK becomes a ‘Third Country’ in terms of EU data transference rules.  This means companies that the UK will not have adequacy status, so needs to take particular steps when processing EEA* data, for example, the data of your customers or prospects or clients.

What you need to do

The UK will recognise all EEA countries as adequate under UK law.  So there are no issues with you continuing to send personal data to the EEA. 

The reverse, however, is not the case so there will be major changes when transferring personal data from the EEA to the UK.  You need to prepare:

  1. Know your data” specifically that data you process about EU individuals.  Make sure your data mapping is up to date and identifies those individuals outside the UK, but within the EEA.
  2. Take appropriate GDPR safeguards for processing and transfers of EEA data, and update your privacy policy accordingly
  3. Use Standard Contractual Clauses to enable transfers of personal data from the EEA to the UK and vice versa.
  4.  If you are using Binding Corporate Rules, these will need to be adjusted slightly post-Brexit.

*EEA = The 27 European Member States, plus Iceland, Liechtenstein and Norway.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Stop All the Clocks (with apologies to WH Auden)

The weekend papers informed us that many of the Brexit Countdown clocks installed in Number 10 and elsewhere across Whitehall have been turned off.  The countdown clocks initiated by the Prime Minister’s most senior adviser, Dominic Cummings, were designed to underline the Government’s firm resolve to leave the EU by 31st October. Deal or No Deal.

If the reports are to be taken be at face value Civil Servants were finding the inexorable countdown “stressful”.   You can see their point.  Much remains to be done to secure a leaving deal – especially on newly negotiated terms. This will not be a relaxing experience while a clock counts down in the corner of your computer screen. Added to which all Civil Service leave has been cancelled until after Brexit day.     

Last week in this blog we outlined the very limited time available to Parliament to put in place legislation ahead of the 31st October deadline.  This week’s announcement of the prorogation of Parliament and a Queen’s Speech while in line with Parliamentary convention narrows the timeframe further.  With limited time available the probability of “No Deal” – a major part of the Government’s negotiation strategy – has increased. 

New Developments on Implication of No Deal for Employers & Employees

As the prospect of a “No Deal” Brexit increases inevitably uncertainty for business will rise.   One of the issues that has risen up the business agenda is the status of EU nationals in the work force.   You could say the countdown clocks are running for UK business especially those employing EU citizens.

Under the Theresa May plan free movement of EU citizens would have continued during the transition period until 31 December 2020. The new Home Secretary, Priti Patel has stated that in a ‘No Deal’ Brexit free movement would come to an end on 31st October 2019. Newspaper reports state that the Home Office said: “Freedom of movement as it currently stands will end on October 31”.

Employee “Settled Status” – Those EU citizens already working in the UK on Brexit day will be able to stay and apply for settled status – provided they have 5 years residency. Those with less than 5 years residency will be given a grace period with residency on a temporary basis until they reach the five-year mark and qualify to apply for settled status.  Employers should be actively making their EU employees aware of these requirements. 

While employers are not currently required to perform such document checks on their EU workers this should not be ruled out in the future. As well as assisting employees with negotiating the settled status process it would be prudent for employers to check the status of their EU workers.

Implications for HR Personal Data Protection

Employers must:

  • demonstrate transparency in their privacy notices about the collection of personal data for verification purpose;
  • ensure that they have the organisational and technical security measures including policies and procedures for processing HR related personal data and where applicable special category data;
  • ensure that they include all categories of employee personal data in their personal data mapping/records of personal data processing.

If you have any questions or concerns about how Brexit will affect your business, in HR or any other area, please call 01787 277742 or email teambrexit@datacompliant.co.uk