Home Insight Insight Category: Data Protection

Data Protection

Briefing

The global coronavirus pandemic has become far more than an international public health issue. The effect of Covid-19 on economic life, employment, politics, social interaction and the environment is wide-ranging and evolving. Work and travel have become the testing ground for countries and communities to prove their resilience and ability to bounce back. Vaccine passports and vaccine certificates allow vaccinated people to gain re-entry to the workplace, social spaces and travel. These certificates can appear as software applications, paper certificates, official stamps, Barcodes, Quick Response (QR) Codes and verifiable tokens. Technology has led the way in providing vaccine confirmation solutions and the data collected and stored are seen as crucial to effectiveness and an evidence-based approach. The use of vaccine passports for employment and travel raises complex issues and require full consideration of the law, public policy, public health, political priorities, human rights, economic considerations and social norms. These considerations directly impact trust, effectiveness and safety.

Focussing on the Key Data Protection Principles

The EU’s General Data Protection Regulation (GDPR) is a useful tool to analyse and balance the competing priorities of vaccine passports and certificates. As a legal and policy framework, the GDPR does not provide all the answers. A focus on Article 5 of the GDPR, however, can be used to identify the most important issues, agree priority outcomes, highlight information governance gaps, introduce ethical data use ideas and apply a risk-based approach to data collection and use.

Much of the information in Covid-19 data systems and vaccine passport databases will be special categories of personal data, such as information about physical and mental health, sexual life, sexual orientation, race or ethnic origin, religious or philosophical beliefs, genetic data and biometric data. These systems carry out high risk data processing, which is further complicated by also using other data such as geolocation data, financial information, name, address, date of birth, workplace address and details about family members.

For Limited Purposes

An important GDPR principle is that personal data should be collected for identifiable and limited purposes. Purposes should be clearly identified at start of data collection and follow through the life cycle of the project. Data collected for vaccine passports and Covid-19 status certificates can be attractive for a range of secondary uses, which may arise in the future. However, those collecting personal data should be cautious in sharing the information with parties that are not identified at the start of the data collection or are not compatible with the stated purposes. Vaccine passports and certificates give and confirm information about moments in time. Using this information for other purposes, in the future, could offer limited benefits when compared to the risks.

Lawful, Fair and Transparent

The use of personal data should be lawful, fair and transparent. The data processing involved in vaccine passports should be clearly understood by users and those who can be identified from the personal data collected. This simple principle can be neglected if the data project is rushed, the data use remains partially undefined, the system is a black box artificial intelligence system, machine learning is used without clear limits and ownership of the data system is divided among many parties with competing or vastly different interests.  These concepts are key to a data protection by design approach. Fairness is also about the necessity and proportionality of the data collection and use, as well as whether these meet the legitimate expectations of the individuals involved.

Accuracy

Personal data used should be accurate and kept up to date. Personal data should also be as accurate as possible at collection and high levels of data quality maintained. Covid-19 vaccines varying in both efficacy and effectiveness. Covid-19 status certificates, lateral-flow tests and other testing also vary in data quality. The accuracy question is about what the data says, when the data are collected and what effect the information has on both the individual and the Covid-19 data system. Accuracy changes with time and with adding or subtracting data from a data set. Accuracy also depends on who will access and read the personal data and the intended uses of the data. Accuracy is protected by both organisational methods (such as training) and technical systems.

Data Minimisation

Covid-19 data systems and vaccine passports should use the minimum personal data necessary to fulfil the stated purposes. This can be difficult, because stakeholders often wish to retain the right to re-use these personal data and so encourage data maximisation. Public health and research stakeholders can also encourage greater volumes of data collection. Data practices such as big data, machine learning and deep learning also encourage data intensification. Data minimisation is a practical principle encouraging targeted data sets, reduced data storage costs, less information to secure, improved data analytics and reduced risks associated with cyberattacks and data breaches.

Limits to Data Retention

Personal data should not be kept, used and stored for longer than necessary. This data hygiene principle is also called the storage limitation data lifecycle principle.  When planned properly, the application of this principle can help with all other GDPR principles, acting as a practical lever. Covid-19 personal data systems should develop personal data retention schedules, which lay out the data lifecycle and include data review and data deletion dates. Data retention includes pseudonymisation, data masking, hashing, encryption and putting personal data beyond use. These concepts are important in helping to define data risk.

Information Security, Integrity and Confidentiality

Personal data should be collected and used in ways that ensure information security. These protections should reduce the risk of unauthorised access, unlawful use, accidental loss, destruction and damage to personal data. Covid-19 data systems and vaccine passports should be protected by risk-based and high quality technical and organisational measures. EU GDPR regulators are also keen to ensure that organisations adopt a proactive approach to information security and actively respond to emerging threats from cloud data, phishing attacks, ransomware, cryptocurrencies scams and social engineering attacks.

Accountability: Demonstrating Governance and Compliance

The key principle for data protection excellence is accountability. This is the ability for covid-19 data systems and vaccine passports to demonstrate compliance with the GDPR to individuals, data controllers, data processors and all stakeholders. Accountability means following all the other principles, carrying out data flow mapping and maintaining Records of Processing Activities (ROPAs). It also means reporting data protection risks to the board or senior leadership, appointing Data Protection Officers and completing Data Protection Impact Assessments (DPIAs). For individuals identified in covid-19 data systems, accountability includes clear GDPR notices, allowing data subject rights to be exercised and having a high-quality consent management system (where consent is being requested). Accountability is also a practical tool to build trust, engagement, effectiveness, good reputation and enhance the quality of the covid-19 data systems. Accountability also creates future-proofing and resilient systems and processes.

For further assistance with Covid-19 data, vaccine status verification systems and GDPR compliance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

PS062021

The California Privacy Rights Act 2020, the CPRA, is a US state privacy law that took effect in December 2020 and comes into force fully on 1 January 2023. The CPRA expands the existing California Consumer Privacy Act (CCPA) to protect the rights of California consumers. CPRA defines and protects sensitive personal information, places a duty on businesses to put in place reasonable information security measures and expands the right to delete personal information.  The right to opt-out of the sale of personal information (called “Do Not Sell”) has been extended to include limits on non-sale data sharing (“Do Not Share”). The law creates a new regulator called the California Privacy Protection Agency, which will inherit the California Attorney General’s rule making and enforcement powers from 1 July 2021.

  1. What types or organisations are covered by CPRA?

The law applies to Businesses, defined in four categories 1.1, 1.2, 1.3 and 1.4:

(1.1) A legal entity organised or operated for the profit or the financial benefit of shareholders, that collect consumers’ personal information or have personal information collected on its behalf.  This entity also determines the purposes and means of the processing of consumers’ personal information, alone, or jointly with others, does business in the state of California and meets one or more of the following threshold criteria:

(a) As of January 1, of the calendar year, have annual gross revenues more than $25,000,000 in the last calendar year, or

(b) Alone or in combination, annually buy or sell, or share the personal information of 100,000 or more consumers or households, or

(c) Creates 50% or more of its annual revenues from selling or sharing consumers’ personal information.

(1.2) Any entity that controls or is controlled by a business falling within criteria 1.1 (above) and that share common branding and consumers’ personal information with each other.

(1.3) A Joint Venture or Partnership composed of businesses in which each business has at least a 40 percent interest. Each business in the Joint Venture or Partnership is seen as a separate single business.

(1.4) Organisations doing business in California, but are not covered by criteria 1.1, 1.2 or 1.3 above and voluntarily certifies to the California Privacy Protection Authority that they are compliant.

2. What types of data or information are covered by CPRA?

Like the CCPA, the CPRA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

The CPRA introduces a new category of sensitive personal information which includes a wide range of personal data such as passport details, driving licence details, specific geolocation information, race or ethnic origin information, genetic data and biometric data. These types of data require greater protection.

3. What are the main CPRA obligations for businesses?

Businesses must ensure that:

(i) When selling or sharing personal information with third parties, binding contracts are in place to ensure that third parties comply with CPRA requirements and their contractual obligations.

(ii) Service providers and contractors must help businesses to respond to verifiable personal information CPRA requests. Service providers are not required to fulfil requests received directly from consumers.

(iii) They inform consumers about the data categories they collect and whether information will be sold or shared.

(iv) Businesses cannot collect additional categories of personal information in ways that are incompatible with the original purposes, once the businesses inform consumers of these purposes.

(v) Third-parties that control personal information collection must provide the same disclosures on their website, as the business that engages them.

(vi) Have systems that protect availability, authenticity, integrity, and confidentiality of personal information. Detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and ensure the physical safety of individuals. Reasonable security practices and procedures must be introduced, including robust email address and password protections.

(vii) Ensure that consumers can exercise their right to limit or restrict the use of sensitive personal information and receive full notices about data use, purposes and retention.

(viii) Ensure that consumers can exercise their rights to request deletion and correction of their personal information.

(ix) Put in place clear policy and procedures for children under 16 years old to opt-in to the selling or sharing of their personal information.

(x) Develop clear data retention and deletion policy and retention schedules to ensure that personal information is deleted when legitimate use ends.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR) and the CCPA, will they automatically comply with CPRA?

No. GDPR, CCPA and CPRA have different scopes, definitions and compliance requirements. However, there are important similarities. Organisations that are governed by CCPA are very likely to fall within the CPRA’s scope. CPRA is more closely aligned with GDPR than CCPA. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. Data privacy notices, policies, information security frameworks created for another law can be tailored to meet the requirements of CPRA. Data processing agreements, supply chain contracts and online notices must be specifically updated for CPRA. Do Not Sell and Do Not Share notices and their underlying management systems are unique to CCPA and CPRA and require specific technical solutions.

5. Does the CPRA apply to businesses or organisations in other US states or to foreign companies?

Yes, it can. If a business or organisation falls within the CPRA qualifying criteria and holds personal information about California consumers, then CPRA applies. Businesses that are based in other US states and companies from outside of the United States may also have to comply with the CCPA.  All organisations should seek specialist advice, review new CPRA regulations, monitor the development of the CPRA enforcement, examine official guidance and watch the regulator, the California Privacy Protection Agency for interpretation and priorities.

Briefing

The route to the United Kingdom (UK) gaining data protection adequacy has been set out by the European Commission. UK adequacy is a declaration by the EU that the UK’s laws and systems are essentially equivalent to cover the General Data Protection Regulation (GDPR) and the Law Enforcement Directive’s (LED) data flows. The UK uniquely benefits from many years of alignment with European data protection standards including ratifying the Council of Europe’s Convention 108. The UK’s pioneering first law was the UK Data Protection Act 1984. The UK then adopted both the EU Data Protection Directive 1995 and the GDPR of 2016.

Data protection adequacy creates certainty and trust for data flows to and from the EU and UK. There are numerous benefits to data protection adequacy for business, trade, cooperation, security and law enforcement. However, because the UK has left the EU (Brexit), it now stands apart from EU developments and automatic institutional advancements. Inevitably, over time, there will be degrees of divergence, duplication of compliance activities and an evolving dynamic tension between the EU and UK regimes. Despite this, there will be an enduring, broad and deep commonality between the EU and UK data protection regimes, well into the future.

The Benefits: What UK Data Protection Adequacy Means

UK data protection adequacy creates a new status quo:

  • The UK will join Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Uruguay as a country with essentially equivalent data protection standards to the EU, the European Economic Area (EEA) countries and Switzerland.
  • The EU will allow the free flow of personal data from the EU to the UK and these will not be considered international data transfers and require the complex additional safeguards listed in the GDPR. The UK has already declared adequate the EU, the EEA, Switzerland and the current list of EU-adequate countries, which creates fully reciprocal personal data flows between the UK and EU.
  • Going forward, the UK will be obliged to ensure that domestic developments in data protection law and systems substantially reflect developments in the EU. This will create a degree of certainty and transparency for companies, organisations and governments.
  • In the future, the Information Commissioner’s Office (ICO), the UK’s GDPR regulator, will be more inclined to interpret and enforce the GDPR in line with EU developments. Though, the ICO must also reflect UK-led changes to the legal framework, UK GDPR interpretation and UK court decisions.
  • Companies and organisations that operate both in the UK and EU must now establish two distinct personal data breach reporting arrangements. UK personal data breaches will need to be reported in the UK, to the ICO. EU data breaches must be reported to one or more of the EU’s twenty-seven GDPR regulators. Bureaucratically, personal data breaches affecting individuals based in the UK and EU must be reported in both regions.
  • International companies and organisation can continue to blend their data protection programmes to cover all EU countries and the UK but specifically allow for future UK variations. This approach will encourage economies of scale, compliance costs savings, interoperability and more transparent European-wide data risk profiles.

Dynamic Controls

UK data protection adequacy includes several dynamic controls that supervise the EU/UK data relationship into the future. Companies and organisations should note that:

  • UK adequacy decisions are subject to review by the European Commission at four-year intervals. The decisions are re-examined periodically.
  • The validity of the UK’s adequacy decisions could be challenged in the Court of Justice of the European Union (CJEU). This court has the power to invalidate the adequacy decisions, forcing organisations to stop transferring personal data from the EU to the UK. This happened to the EU-US-Swiss Safe Harbour adequacy decision in 2015 and EU-US-Swiss Privacy Shield adequacy decision in 2020, causing much disruption, uncertainty and costs to businesses and organisations.
  • The European Commission can suspend UK adequacy decisions based on a serious violation or series of serious violations that offend the EU’s  rights-based system. This is unlikely. However, a significant UK/EU disagreement about human rights, EU fundamental rights, national security and large-scale surveillance could increase the risk. A significant breakdown in the UK’s internal checks and balances that safeguard the right to personal data protection could negatively affect the stability of UK adequacy.

The Limits: What UK Data Protection Adequacy does not Mean

UK data protection adequacy does not alter several important issues and so companies and organisations should note that:

  • UK adequacy creates and maintains equivalence for data transfers from the EU to the UK. However, the UK will still need to create new international data transfer mechanisms for UK personal data flows to the rest of the world. These may be different from the EU’s system and may include UK-specific data protection standard contractual clauses. Companies and organisations in the UK and EU must now navigate two systems for international transfers.
  • Companies and organisations that have no presence in the EU but offer goods or services or monitor individuals in the EU will need to appoint an EU Data Protection Representative based in the EU, separate from any UK representative.
  • Companies and organisations that have no presence in the UK but offer goods or services or monitor individuals in the UK will need to appoint a UK Data Protection Representative based in the UK, separate from any EU representative.
  • Post Brexit, the UK is still part of the European Convention on Human Rights (ECHR), with its well-established right to privacy, family life, home and correspondence. This right is reflected in the UK’s Human Rights Act 1998.  However, there is no longer a fundamental right to personal data protection in UK law as it exists in EU law. The UK is no longer a party to the EU Charter of Fundamental Rights, and its specific additional Article 8 personal data protections. As a result, data protection rights in the UK are now narrower in scope than in the EU.
  • The UK continues to have GDPR embedded into its laws. However, automatic data protection alignment is no longer legally and practically inevitable. Brexit means that the UK is no longer a part of the EU’s governing treaties, democratic institutions, internal single market, digital single market, regulators and courts. Data protection decisions and opinions from the European Commission, European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) no longer have automatic legal force on the UK.

For assistance with GDPR, EU/UK data flows and Brexit, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS022021

The Dubai International Financial Centre (DIFC) Data Protection Law 2020 (DP Law) applies to the DIFC financial services free zone in Dubai, United Arab Emirates and took effect on 1 July 2020. The DIFC DP Law protects the personal data held and processed by organisations that are registered in the DIFC as well as linked external organisations. New data protection rights include the right to access personal data, the right to data portability, the right to withdraw consent, the right to object to automated decisions (including profiling) and the right not to suffer discrimination for exercising data protection rights. Businesses have an overriding duty to demonstrate compliance with the data protection principles. The DIFC Commissioner of Data Protection is the regulator. Regulator enforcement starts on 1 October 2020.

1.What types or organisations are covered by DIFC DP Law?

The law applies to businesses that are registered in the DIFC or businesses that process personal data in the DIFC as part of stable arrangements. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law.

2. What types of data or information are covered by DIFC DP Law?

The DIFC DP Law protects personal data which is defined as information that identifies or makes living individuals identifiable. Identified or identifiable means reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors about an individual’s biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

3.What are the main DIFC DP Law obligations for businesses?

Businesses must:

  1. Comply with additional data protection principles of accountability (demonstrate compliance), transparency and process personal data in line with the rights of individuals.
  2. Appoint a Data Protection Officer (DPO), if they are DIFC bodies or carry out high risk processing on a systematic or regular basis. Other controllers or processors may appoint DPOs.
  3. Report data breaches as soon as practicable in the circumstances to the DIFC Commissioner of Data Protection and to individuals affected (if the breach is a high risk to security or individual rights).
  4. Register with the regulator and publish detailed data protection notices.
  5. Complete Data Protection Impact Assessments (DPIAs) for high risk data processing.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with DIFC DP Law?

Yes, in large part, but not completely. GDPR and DIFC DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. DIFC DP Law was enacted to include provisions that largely mirror GDPR. It is likely that the DIFC will make an application to the European Union (EU) for an adequacy decision to ease international data transfers between the DIFC and the EU. GDPR data mapping and records of processing activity logs can help to identify DIFC DP Law impacted personal data. GDPR Privacy Notices, policies and GDPR processes used to respond to GDPR rights can assist DIFC DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated.

5. Does the DIFC DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses process personal data and are registered in DIFC or process personal data in the DIFC as part of stable arrangements in the DIFC, then the DIFC DP Law will apply. The law also applies to businesses that process data on behalf of organisations registered in the DIFC or for organisations that process data in the DIFC as part of stable arrangements. The DIFC Commissioner for Data Protection can impose administrative fines of up to $100,000. DIFC Courts can order businesses to pay compensation to individuals.

Article

Companies and organisations should ensure that their data protection compliance is not reduced to a set of policies and procedures, quarterly reports and annual reviews. Data protection outcomes should not be synonymous with the introduction of enterprise privacy software, compliance team updates of controls or data privacy as intractable legal and IT add-ons to be overcome. Effective data protection should be dynamic and integral to day to day activities, in the way that workplace health and safety, financial probity and corporate good conduct flows through organisations, affecting almost every decision. Data protection should not play catch-up to digital transformation initiatives, IT strategy changes, research and development priorities or expansions of the supply chain. Data protection principles should be applied consciously to strengthen an organisation’s core DNA and operating model. As a result, whenever personal data are collected, stored or used, data protection should become a byword for responsible data management, excellent data ethics, protecting individual personal data, accountability, security, resilience, profitability, trust and innovation.

Data Protection by Design and by Default

In the same way that financial transparency, environmental impacts and board accountability are key measures for listed companies, data protection should be designed into an organisation’s way of doing business, so that it becomes second nature. The EU’s General Data Protection Regulation (GDPR) has increased the prominence and status of Data Protection by Design, Security by Design and Privacy by Design (PbD) practices. The data protection principles of transparency, accountability and data minimisation are crucial. Data Protection Impact Assessment (DPIA) is a practical tool to practice high level data governance, demonstrate compliance and add vital data intelligence to an organisation’s knowledge base. Data Protection should  be operationalised, at the beginning of decision-making processes and information life cycles to maximise the planned outcomes.  Poor data governance should be considered as problematic as poor workplace health and safety, poorly trained staff and financial mismanagement.

Automated Decisions

Automated decisions are assessments, judgements, results and outcomes made by computers without human intervention. These decisions are often made by computer calculations and the outcomes are not checked or verified by humans. These results can have serious economic, financial, political and social implications for individuals. Companies and organisations may carry out automated decisions without full awareness or assessment of its impact or that specific data protection rules apply. The outsourcing of Human Resources functions and other business processes have redirected some automated decisions away from organisations’ direct internal management structures, creating greater risks. However, legal responsibilities and liabilities remain with the organisation that act as the personal data controller.  Automated decisions can be based on assumptions about a person’s skills, decisions, actions, intentions or characteristics. Assumptions can be wrong, out of date or incomplete and cause discrimination, financial loss, loss of opportunity, distress or other damage.  Companies and organisations should be transparent about assumptions made by automated decisions and apply internal quality checks, testing and outcome verification. Individuals affected should also be provided with a way to intervene into the decision-making processes, request human involvement, express their views or question the outcome.

Algorithms and Strategy

An algorithm is a sequence of defined, computer-implementable instructions, used to solve a type of problem or to perform a computation. Algorithms are present where computers operate. As a result of the exponential growth of computing power, the enormous increase of data and the rise of artificial intelligence, the role of algorithms has become more prominent in everyday business and how organisations operate. As a result, companies and organisations should ensure that they have a clear strategy for the use of algorithms that affect individuals. The strategy should sit with overall business strategies for growth, efficiency, profits and innovation. All strategic outcomes should be quality tested against how they protect individual’s personal data, promote information security (and cybersecurity), encourage data transparency, create data accountability and data fairness (quality and data minimisation).

Profiling

The rise of information technology, online transactions, social media and internet usage around the world have created an explosion of profiling. Companies and organisations may carry out profiling without full awareness or assessment of its impact or that specific data protection rules apply to the practice. Profiling is the use of mathematical formulas, computations or algorithms to categorize individuals into one or more classes or groups. Profiling can also be used to evaluate individual characteristics such as performance at work, economic standing, health, personal preferences, interests, reliability (skill or competence), behaviour, location, movement, intention or priorities. The most intrusive elements of profiling can be the ability to infer information from data and the ability to predict an individual’s future choices or actions. Inferences and predictions can be wrong, biased, incomplete and based on irrelevant data, yet have a substantial effect on individuals, including discrimination, financial loss, loss of opportunities, distress or other damage.  Companies and organisations must be transparent about their use of profiling, have internal quality checks, practice data minimisation and verification. Individuals affected must be able to seek information about their profiles and question the decisions made about them.

The GDPR has one of the most sophisticated regulatory frameworks to deal with profiling and automated decision making. In most cases, automated decision making is categorised as profiling. EU policy makers anticipated the growth of profiling by ensuring that all foreign companies (with or without an EU presence), that profile EU citizens’ behaviour in the EU, fall within the scope of GDPR, even where the profiling operations take place outside the EU. This may not be well understood and may often be ignored by organisations. As well as compliance with the GDPR’s main principles and provisions, profiling should always be accompanied by Data Protection Impact Assessments (DPIAs). These DPIAs must also comply with the requirements of the relevant EU member states’ data protection regulator and local laws. Consulting with the individuals affected and with the data protection regulator could also be required, based on the nature of the profiling.  The Data Protection Officer should support and drive the process of producing high quality DPIAs that are well written, honest, easy to understand, effectively reviewed and updated.

Artificial Intelligence

Artificial Intelligence (AI) is the ability for computer systems or computer-controlled robots to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, translation between languages, performing manual tasks, interactions with other computers and interactions with humans. AI is big business and is set to transform the global economy, work, home, education, healthcare and security. The global artificial intelligence market size is expected to reach $390.9 billion US dollars by 2025, according to a report by Grand View Research, Inc. The market is anticipated to expand at a Compound Annual Growth Rate (CAGR) of 46.2% from 2019 to 2025. Companies and organisations should ensure that in building AI systems that algorithms are tested, reviewed and outputs verified. Data sources should be quality checked to remove incomplete data, bias and out of date information. Assumptions and inferences should be robustly tested. These steps are data hygiene and reflect similar GDPR requirements. However, GDPR compliance and relevant data protection and privacy laws should be specifically incorporated into AI data life cycles.

Companies and organisations should ensure that AI is explainable so that individuals affected can increase their understanding and trust can be built. This requirement maps across to the GDPR’s principles of fairness, lawfulness, transparency, purpose limitation, accuracy, integrity, confidentiality and accountability. Frameworks have been published to help organisations manage and explain AI to improve accountability. The European Union High-Level Expert Group on AI has published Ethics Guidelines for Trustworthy Artificial Intelligence. The United States National Institute of Standards and Technology (NIST) has published Four Principles for Explainable Artificial Intelligence. The UK’s data protection regulator, the Information Commissioner’s Office and the Alan Turing Institute, have published joint guidance on Explaining Decisions Made with AI.

Data Protection Lessons

Data Protection maturity can improve companies and organisations key strategic goals of profitability, growth, efficiency, trust, innovation and resilience. Organisations that attempt to grow without robust data protection find that several of their key strategic goals remain uncertain. Their longevity can be at risk because users, customers and supply chain trust are low. Their efficiency and growth are precarious because at any time, a data protection regulator, markets regulator, privacy activists, civil society groups, governments and individuals could start campaigns against their poor data protection practices. Fines, bad publicity, internal staff protests, political interjections and whistleblowers can create a state of inherent instability. Excellence in data protection and data protection by design should be positive and proactive advancements rather than reactive responses. For the future, agility and trust will be important economic drivers. Organisations that understand their data and personal data, explain their data uses, imbed data protection by design and engage with stakeholders about data governance issues will thrive, remain resilient and fulfil their key strategic objectives.

PS082020

Article

The UK’s departure from the EU on 31 January 2020 (‘Brexit’) changes the EU/UK data governance landscape. The agreed transition period1 until 31 December 2020 offers a period of EU/UK data protection continuity2 and ‘business as usual.’ In the longer term, however, there is uncertainty about EU to UK personal data flows, UK data protection law, and General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) compliance. EU-based, European Economic Area (‘EEA’) based, and international businesses face a series of challenges when seeking to understand and fully predict the UK’s data protection future. Wayne Cleghorn, CEO of PrivacySolved, explores these uncertainties, risks, and options to shed light and offer guidance on priorities and actions.

Mind the gap: UK data protection and EU GDPR future

EU, EEA, and international businesses and organisations understand that EU data protection laws lay at the heart of EU politics, human rights, economy, and trade. The GDPR seeks to place data protection at the heart of the EU’s single market and the future digital single market while also further elevating the protection of personal data and special categories of data as a fundamental EU right and a broader human right4. The UK’s EU Withdrawal Agreement Act5 removes the UK from this system, by revoking6 key EU treaties from applying to the UK. However, the UK enacted the Data Protection Act 2018 (‘the Act’)7 to anchor the GDPR into UK domestic law. This Act will replace the GDPR after the end of the transition period and offers most of the protections of the GDPR, but without the key functional mechanisms that other EU Member States will rely on. These mechanisms include the role of the European Commission in data protection, European Data Protection Board (‘EDPB’) membership8, the consistency mechanism9, the One Stop Shop10 mechanism, the EU-US Privacy Shield11 (‘the Privacy Shield’), and the data protection decisions of the Court of Justice of the European Union12 (‘CJEU’). Legally and practically, UK data protection divergence begins on 1 February 2020, even within the short transition period. At the end of the transition period, UK data protection risks becoming less aligned with the EU and less automatic. The UK and EU will be on different paths as a result of the post-Brexit status and inertia. This ‘new normal’ creates pockets of uncertainty, risks, opportunities, and options.

Uncertainties and risks

UK adequacy decision

UK, EU, EEA, and international businesses’ personal data flows are best protected and suffer the least disruption if the European Commission issues a post-Brexit ‘adequacy decision13’ that the UK provides an adequate level of data protection comparable to the EU. The UK has a good claim to such an adequacy decision because of its existing GDPR alignment14, but the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies15. As a result, a decision is unlikely to be made for many months and it may become entangled in the UK/EU free trade agreement negotiations occurring throughout 2020 and beyond.

International data transfers

On exiting the EU and the EEA, after the transition period, without an adequacy decision, the UK becomes a ‘third country’ in terms of data protection16. EU and EEA businesses and organisations, as well as international businesses with EU/EEA operations, need to review and plan in advance for the appropriate safeguards needed to facilitate EU to UK personal data transfers. Standard Contractual Clauses17 (‘SCCs’) are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU after the transition period. The existing Privacy Shield18 will no longer cover the UK, for UK to US data transfers, and so existing arrangements will need to be adjusted in advance and while a UK version of the Privacy Shield is created. Binding Corporate Rules19 (‘BCRs’) are a stable solution but these cover only intra-group data transfers, but take a long time to prepare and receive approval from EU data protection supervisory authorities. The agreed transition period appears to be too short to begin any substantial BCR applications at the UK Information Commissioner’s Office (‘ICO’). After transition, the ICO will no longer be a GDPR BCR-granting data protection supervisory authority, and so EU and international businesses and organisations need to examine their legal proximity and access to other EU data protection supervisory authorities for their BCR compliance activities. One key post-Brexit transition period challenge will be how EU-based data processors and sub-processors respond to data protection compliance instructions from UK-based data controllers. This scenario20 was never envisaged by the authors of the GDPR. As a result, this situation creates many complications and must be dealt with on a case-by-case basis. Bespoke contracting will be one of the ways to create solutions for these gaps.

The ICO and UK courts

At the time of publication, the ICO21 is one of the largest, most active, and influential data protection authorities in the EU and around the world. During the Brexit transition period, it will continue its GDPR supervisory authority role22, but at a distance and with the disadvantage of no longer being an active decision-making member23 of the EDPB. The ICO’s longer term position in the EU’s structures remains even more uncertain after the Brexit transition period. While the ICO will continue to safeguard UK residents and be the data protection authority for many UK-based businesses, it is unclear whether the ICO will accept and handle GDPR complaints from EU citizens, EU-based, and international data controllers and processors under the GDPR24. Several of the ICO’s key powers come from the GDPR, which has made it an integral member of the EDPB25. However, the ICO has accepted that, in law, it will no longer be a ‘supervisory authority’ for the GDPR after the end of the transition period26, but it will seek to maintain a close relationship with the EDPB. Going forward, the most impactful issue is the likelihood that the ICO will begin to apply data protection legal interpretation primarily from UK courts and not the CJEU or other EU Member States. If this occurs, UK data protection divergence will become entrenched. UK courts have only recently begun to produce high level court decisions on data protection remedies27. Post-Brexit, these courts may retreat to narrower and more UK-centric data protection interpretations and applications.

Options and actions for EU-based, EEA-based, and international businesses and organisations

In the short to medium term, the UK data protection landscape should be regarded as a work in progress, a special case, and a candidate country for an EU adequacy decision. Businesses and organisations should seek continuity where possible, reduce the risks to personal data flow interruption, and preserve UK/EU GDPR alignment as much as possible, especially within the Brexit transition period which runs to December 202028. However, this implementation period is short and there are several matters that require specific early attention, review, and action, by data controllers and data processors outside the UK.

Plan to update data protection notices, data protection policies, contract clauses about the GDPR, and initiate supply chain reviews

Key documents that have not already been reviewed will need be updated to ensure that the impact of the UK’s Brexit on data protection compliance is acknowledged in commercial arrangements. New arrangements may need to be negotiated, agreed and formally updated.

Plan to replace the UK ICO as the GDPR lead supervisory authority, One Stop Shop authority, and BCR approval authority

EU and international businesses and organisations should review their previous analysis of the UK ICO as their lead supervisory authority for the GDPR, their One Stop Shop authority, and the authority to which their BCRs can be submitted and agreed. Alternative EU supervisory authorities should be considered and selected to replace the ICO’s existing role for these activities to properly comply with the GDPR over the longer term. Detailed expert advice may be required to embed these changes. For larger organisations, the transition period could be used to consider and begin to implement any changes.

Appoint an EU representative

During and after Brexit’s transition period, the GDPR will still apply to businesses or organisations that offer goods, services, or monitor EU citizens. Where these businesses and organisations have no establishment of settled presence or stable arrangements in an EU Member State, the business or organisation must appoint an EU representative29 to liaise with the relevant EU supervisory authorities, and deal with individuals who wish to exercise their rights under the GDPR. The UK will no longer be an eligible EU Member State after the transition period. As a result, UK businesses and international businesses and organisations that have GDPR obligations will need to re-direct their GDPR compliance focus to other EU countries. International businesses should also reassess UK-based EU representatives which are currently in place. Care should be taken to negotiate and agree the scope of these appointments. The identities of the relevant instructing data controllers and data processors should be clear. Liability, insurance, and the roles and responsibilities of each party should also be explicitly agreed. It will take time to update internal and external teams, processes, technologies, and training, and so larger and more complex businesses should not wait until the end of the transition period to begin this work.

Focus on international data transfers

International data transfers can be a risky area of GDPR compliance and are subject to change. The CJEU is likely to issue court decisions on SCCs and EU institutions will provide updates on the Privacy Shield and BCRs. Currently approved EU SCCs may be updated to better reflect the GDPR. When these updates occur, the UK’s position will become apparent, especially if EU institutions and courts require changes to be made, which the UK may not be legally obliged to follow. A key test is due in May 2020, when the European Commission will present its first evaluation and review30 of the GDPR to the European Parliament and the Council of the European Union.

Focus on data protection developments in key sectors and the growth of the GDPR codes of practice and certifications

Codes of practice and certification mechanisms are being developed in the EU and UK, and may provide GDPR compliance solutions and options in the medium to longer term. These may, over time, help to bridge the increasing EU/UK data protection divide and reduce the data protection uncertainties created by Brexit.

For Enquiries:

contact@privacysolved.com

London: +44 207 175 9771 \ Dublin: +353 1 960 9370

www.privacysolved.com

References:

1. Articles 126-127 of the EU / UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

2. Article 128 of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

3. GDPR, available at https://eur-lex.europa.eu/eli/reg/2016/679/oj

4. GDPR, Recitals 1-8.

5. EU (Withdrawal Agreement) Act 2020, available at: http://www.legislation.gov.uk/ukpga/2020/1/contents/enacted

6. Section 1 of EU (Withdrawal Agreement) Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/16/contents/enacted

7. UK Data Protection Act 2018, available at: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

8. Articles 68-76 and Recitals 139 – 140, GDPR.

9. Articles 63-67 and Recitals 136 – 138, GDPR.

10. Article 56 and Recital 127, GDPR.

11. Available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#commercial-sector-eu-us-privacy-shield  and https://www.privacyshield.gov/welcome

12. Available at: https://curia.europa.eu/jcms/jcms/j_6/en/

13. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

14. See: https://publications.parliament.uk/pa/cm201719/cmselect/cmexeu/1317/131702.htm

15. See: https://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf

16. See Speech by EU Chief Negotiator Michel Barnier on 26 May 2018 in Lisbon “..And we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us” available at: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_18_3962

17. Article 46, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

18. Article 45, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en

19. Article 47, GDPR, see also: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en

20. EDPB Guidelines 3/2018 on the territorial scope of the GDPR, available at: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en

21. See: https://ico.org.uk

22. See “Statement on data protection and Brexit implementation – what you need to do” on 29 January 2020 and updated “Brexit FAQ”, available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do/

23. Article 128 (5) of the EU/UK Consolidated Withdrawal Agreement of 17 October 2019, TF50 (2019) – Commission to EU 27, available at: https://ec.europa.eu/commission/sites/beta-political/files/consolidated_withdrawal_agreement_17-10-2019_1.pdf

24. Article 57, GDPR.

25. Articles 51-59 and Recitals 117-129, GDPR.

26. See: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal-3/the-gdpr/ico-and-the-edpb/

27. See Vidal-Hall v Google Inc [2015] EWCA Civ 311 [2016] QB 1003 see: https://www.judiciary.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf and Lloyd v Google [2018] EWHC 2599, see: https://www.judiciary.uk/wp-content/uploads/2018/10/lloyd-v-google-judgment.pdf

28. Section 33 of EU (Withdrawal Agreement) Act 2020.

29. GDPR, Article 27.

30. GDPR, Article 97.

Also published by DataGuidance

Global Briefing

The novel coronavirus, COVID-19, has been classified as a global pandemic. At such a critical time for public health, nations and the global economy, the World Health Organisation, governments, Chief Medical Officers and public health organisations provide much needed scientific and practical expertise.  In our data-driven world, data and information are vital to effectively responding through contact tracing, outbreak analysis, vaccine research, risk-assessments, diagnosis, treatment, modelling and government policy decisions. In this emergency, transparent and proportionate data privacy practices, confidentiality and data security procedures can help to inform these efforts, increase trust and encourage win-win outcomes. Data excellence is crucial.

Health
Data: The sword and shield to combat the crisis

Health and
medical data are often classified as sensitive and confidential. In the European Union, the General Data Protection Regulation (GDPR) lists these asspecial categories of personal data. Collecting, storing and sharing these types of data in high-volumes is called high risk data processing.  Globally, best practice in health care data management insists that these kinds of data must be kept secure, data sharing should be specific and limited, data must be highly accurate, complete and relevant. Individual consent is often the means by which these types of data are collected, stored and used. Health data processing for COVID-19 identification, treatment and public health countermeasures necessarily pressures and adjusts this status quo.  The frequency and intensity of health data processing and sharing around the world, will challenge data controllers, data owners, data guardians and individuals alike. A targeted and purposive approach is required. In this crisis, necessity must be the mother of invention and provide much needed public health and medical solutions and outcomes.

Looking
for Leadership: Guidance from Key Data Regulators

Aware of the increase in health data collection, storage and use as well as the increased data security risks, data protection and other key regulators have published guidance to assist companies, organisations, governments, health care systems and individuals. These include:

Italy

The Italian data protection regulator, the Garante (Garante per la protezione dei dati personali), has published a statement encouraging employers not to collect covid-19 related health data and location information about employees in a spontaneous, systematic and generalised way. Health data collection should be left to the health authorities or otherwise such collections must be specifically required by law. Employers are encouraged to strictly comply with requests and nationwide initiatives from Italy’s Ministry of Health.  The statement clarifies that employees have a duty to inform their employers of health and safety risks, such as exposure to COVID-19. Employers may invite employees to notify them of exposure. The statement in Italian, is here.

Ireland

The data protection
regulator for the Republic of Ireland, the Data Protection Commission Ireland (DPC Ireland) has issued guidance stating that measures taken to combat COVID-19, including the collection and use of health data should be necessary and proportionate. All decisions should be informed by the guidance and instructions of public health and other relevant authorities. The GDPR should be applied and key GDPR principles of proper legal bases for processing health data, transparency, confidentiality, data minimisation and accountability
should be practiced. The guidance presents a number of employment scenarios, as questions and answers. DPC Ireland acknowledges that an organisation’s response to an individual’s data protection rights may be impacted or delayed by COVID-19 and this will be taken into account, but GDPR legal obligations cannot be waived. Where COVID-19 impacts data protection compliance, organisations should communicate with individuals, respond as quickly as possible, reply in stages and maintain clear internal records. The guidance is here.

Spain

Spain’s data protection regulator, La Agencia Española de Protección de Datos (AEPD), has published a statement and a report on data protection and COVID-19. AEPD clearly states that data protection rules should not be used as a barrier to respond to COVID-19. The GDPR and local Spanish laws provide the proper legal basis for dealing with these exceptional cases, public interest efforts and activities to protect the vital interests of individuals. Employers should process health data that are necessary to safeguard staff and limit further contagion. The statement is here and the report is here, in Spanish.

United Kingdom

The United Kingdom’s data protection regulator, the Information Commissioner’s Office (ICO), issued a statement asserting that data protection and electronic communications laws do not prevent responding to COVID-19, including the additional collection of personal data for public health reasons.  The ICO says that it is a reasonable and pragmatic regulator who will consider the compelling public interest in the coronavirus health emergency. It offers its website address and helpline number as sources of assistance. The statement is linked to questions and answers with scenarios about employers, employees and health professionals. The statement and questions and answers in English are here.

France

France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued guidance emphasising that the GDPR applies to health data collection relating to COVID-19. It outlines prohibitions which include employers asking staff and visitors to provide temperature readings every day or to collect health questionnaires from all employees. Systematic and generalised collection of health data is discouraged. Employees are encouraged to inform their employers about their potential COVID-19 exposure and employers can provide reports to public health authorities and set up business continuity plans. Organisations should follow the recommendations of the health authorities and collect data in accordance with their requests and instructions. The guidance is available in French, is here.

United
States of America

The United States responds to COVID-19 both on the federal level and on the state level, in each 50 states. City, regional and local-level responses are also evident. Without comprehensive all-sector national or federal-level data privacy laws, the broadest guidances available relate to the Federal Health Insurance Portability and Accountability Act 1996 (HIPAA). The Department for Health and Human Sciences published a Bulletin covering HIPAA and COVID-19 related issues, which is here. The US Centers for Disease Control and Prevention provides up to date general coronavirus updates, advice, health guidance and mitigation strategies, available here.

China

The National Health Commission of China published a notice, available in chinese here,  on the personal data protection issues in responding to Covid-19. In addition, one of China’s key cybersecurity and data protection bodies, the Cyberspace Administration of China (CAC) published a Circular on “Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” to provide detailed guidance, which is available in chinese, here.

Switzerland

Switzerland’s data protection regulator, the Federal Data Protection and Transparency Officer (PFPDT) has published guidance on the protection of personal data while containing COVID-19. The guidance is available in German, French and Italian.

Belgium

Belgium’s data protection regulator, Autorité de protection des données, has published guidance on COVID-19. The guidance is available in French, here.

Germany: Baden-Württemberg

The Baden-Württemberg data protection regulator, LfDI Baden-Württemberg published frequently asked questions (FAQs) on data protection compliance and COVID-19. The FAQs are here.

New Zealand

New Zealand’s data protection regulator, the Office of the Privacy Commissioner of New Zealand (OPCNZ) published frequently asked questions (FAQs) on COVID-19. The FAQs are here.

Denmark

Denmark’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Danish, here.

Iceland

Iceland’s data protection regulator, Persónu Vernd, has published guidance on COVID-19. The guidance is available in Icelandic, here.

Luxembourg

Luxembourg’s data protection regulator, Commission Nationale pour la Protection des Données, has published guidance on COVID-19. The guidance is available in French, here.

Norway

Norway’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Norwegian, here

Poland

Poland’s data protection regulator, Urząd Ochrony Danych Osobowych, has published guidance on COVID-19. The guidance is available in Polish, here

Netherlands

The Netherland’s data protection regulator, Autoriteit Persoonsgegevens, has published guidance on COVID-19. The guidance is available in Dutch, here

Hungary

Hungary’s data protection regulator, Nemzeti Adatvédelmi és Információszabadság Hatóság, has published guidance on COVID-19. The guidance is available in Hungarian, here.

Slovakia

Slovakia’s data protection regulator, Úrad na ochranu osobných údajov Slovenskej republiky, has published guidance on COVID-19. The guidance is available in Slovak, here.

Slovenia

Slovenia’s data protection regulator, Informacijski pooblaščenec, has published guidance on COVID-19. The guidance is available in Slovenian, here.

The California Consumer Privacy Act 2018, or CCPA, is a US state privacy law that took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement begins on 1 July 2020.

1. What types or organisations are covered by CCPA?

The law applies to businesses that operate for profit and that fall into any one of the following categories:

  • Annual gross revenue in excess of $25 Million (US Dollars); or
  • Buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
  • Earns 50% or more of annual revenues from selling consumer personal information

2. What types of data or information are covered by CCPA?

The CCPA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

3. What are the main CCPA obligations for businesses?

Businesses must:

  • Provide notices to consumers at or before data collection
  • Create procedures to respond to consumer requests to opt-out, know and delete information, including putting “Do Not Sell My Information” notices on websites and mobile applications.
  • Respond to consumer requests to know, delete and opt-out within specific timeframes
  • Verify the identity of consumers who make requests to know and to delete, whether or not the consumer has a password-protected account with the business

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with CCPA?

No. GDPR and CCPA have different scopes, definitions and compliance requirements. However, there are important similarities. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. GDPR Privacy Notices, Policies and GDPR processes used to respond to GDPR rights can assist CCPA compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Do Not Sell notices and their underlying systems are unique to CCPA and present several practical, technical and technological challenges.

 5. Does the CCPA apply to businesses in other US states or to foreign companies?

Yes, it can. If a business falls within the CCPA qualifying criteria and holds personal information about California consumers, then CCPA applies. Businesses that are based in other US states and companies from outside of the United States may have to comply with the CCPA.  All organisations should seek specialist advice, monitor the development of the CCPA enforcement regulations, examine official guidance and watch the Regulator.

Since May 2018, companies and organisations have been given time to fully come to terms with the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. This is both an enlightened approach to enforcement and a practical necessity.  Rushed enforcement could compromise the quality of decisions and trust in the UK’s and EU’s data protection regulators.

During this pause in enforcement, several EU regulators set up new systems, increased staff and in some cases reinvented themselves. At the same time, many EU regulators were inundated with complaints and personal data breach notifications which stretched their resources and extended their response times. In addition to this, all EU regulators are now legally required to consult each other about key decisions to encourage transparency and consistent interpretation across the EU. However, enforcement, including fines, have now begun and these will increase in frequency and impact in the coming months and years.

GDPR Enforcement

GDPR enforcement

GDPR enforcement and interpretation will come from various sources. As a result, companies and organisations should look beyond the UK Information Commissioner’s Office to test and update their data governance standards, GDPR compliance and cyber security resilience. Firstly, the European Data Protection Board (EDPB) is a key player, acting as the EU’s super regulator for data protection. Its published opinions and guidance are highly respected in interpreting and applying GDPR. Secondly, the UK and EU courts will play an increasing role, because these courts are currently considering key cases that could redefine the boundaries of the GDPR, including for key pre-GDPR tools like EU Standard Contractual Clauses, for international data transfers. These court decisions could require changes to current commercial deals and past contractual arrangements at great expense to businesses.

Thirdly, high quality sector and industry-produced data protection codes of practice and certifications will be increasingly considered as baseline compliance and become standards against which relevant GDPR and cybersecurity practices will be judged. Fourthly, companies and organisations must look at other key data protection regulators around the world, such as the US Federal Trade Commission whose data privacy decisions about the largest US technology companies, will affect countless other companies and organisations in the UK. Finally, for UK and Irish organisations, the type of Brexit that is agreed will determine the future reality of UK GDPR enforcement and the status of critical personal data flows in and out of the EU, after any exit.

Companies and organisations must get the basics of GDPR right

Key LessonsKey Lessons

Key lessons can be learnt from the first fines, enforcement decisions and guidance in the UK, France, Germany, Netherlands and elsewhere.  Accountability is a key principle in the GDPR. It is now clear that cybersecurity breaches will lead to large fines, where a lot of personal data are lost or stolen, even after simple human error or where flaws are discovered in the organisation’s procedures.

Companies and organisations must get the basics of GDPR right, such as clearly informing individuals about data use and having fair, simple and transparent consent processes. The data protection risks attached to new technologies such as adtech, artificial intelligence and facial recognition must be subjected to robust Data Protection Impact Assessments and the outcomes of these must clearly inform how personal data are used. Privacy by Design and privacy by default are central to effective compliance, these are not mere add-ons. Crucially, Data Protection Officers must be qualified, well trained, independent, give frank advice and be empowered to make decisions and act.

Time for clear analysis, reality checks and action

Time for clear analysis, reality checks and action

Amid the flurry of activity generated by fines, enforcement decisions, GDPR opinions, guidance, codes of practice and certifications, companies and organisations must remain composed, outcome-focussed and yet, adaptable. Relevant GDPR and cybersecurity developments must be identified, interpreted and effectively applied to the organisation, allowing agreed new norms to be absorbed into the operations.

GDPR, cybersecurity, legal, audit and operational perspectives must be gathered and rationalised. For present and future GDPR and cybersecurity enforcement, the question is no longer have you complied and how. It is more demanding.

Why has compliance been done in that way, what risks have been identified and how have these risk levels been effectively and continuously addressed? This requires very clear analysis, ongoing review, an understanding of the limits of the law, knowledge of the shades of interpretation as well as an awareness of the challenges of real-life GDPR application. Fines and enforcement always test theories and best intentions against reality.

Client Success Stories: What Our Partners Say

Our clients’ testimonials are the performance indicators PrivacySolved values most. These keep us focused on excellent delivery, while never losing sight of the evolutionary nature of our clients’ needs, our expertise and the need for continuous improvement.

Privacy Solved Icon

Information Access Officer

Government Agency

“We have progressed a great deal in our knowledge and understanding, in no small part thanks to your guidance and support.”

Privacy Solved Icon

Independent Commissioner and Adjudicator

Public Safety Agency

“Concise, on point and like a comfort blanket. Thank you for your help throughout.”

Privacy Solved Icon

Chief Privacy Officer

Fortune 500 Global Data Management Company

“We appreciate your dedication to improving our global privacy program. We will continue to make progress on this plan and our overall program.”

Privacy Solved Icon

Chief Digital Officer

Government

“The PrivacySolved team is very specialist, it is great that they have that level of specialist knowledge. We need it and we really appreciate it.”

Partnerships &
Memberships 2024

grow-global
cyber-essentials
canada - united kingdom logo
iapp logo
Excello law Logo
ohalo-logo
The caribbean council logo
Logo-2-2-Copy-Copy-1
eu-ai-alliance-3_0
great-b-logo

Take the next step

PrivacySolved can empower your real-time response to Data Breaches or Cyber Attacks globally, around the clock and across time zones. At any time, you also can activate our global data privacy expertise, DPOs, vCISOs, cybersecurity strategy and responsible AI services.

Click below to start the most important conversation you’ll have this year.

Get 24/7 Data Breach Help
privacy solved logo

Services

Information

Legals

© Copyright 2025 PrivacySolved. All rights reserved. Website by Jerboa.

Contact Us