The General Data Protection Regulation (GDPR) has been in force for nearly two years, so hopefully you are already compliant. As a reminder, here are the ten most important actions you need to take to comply with the GDPR.
1) Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it; 2) Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it; 3) Ensure that your data security strategy is robust and that you have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of a data breach or other security incident: 4) Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA): 5) Update your privacy notice to ensure that you’re being transparent about the means and purposes of your data-processing; 6) Update your cookie policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained; 7) Ensure that your staff are appropriately trained in relevant areas of the GDPR; 8) Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary; 9) Determine whether you need to appoint a Data Protection Officer (DPO). If you do, take the necessary steps to hire a suitable candidate; 10) Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.
Although the UK has left the EU, the UK’s version of the GDPR which is very similar to the GDPR will apply. There are however three areas of potential change that should be considered well ahead of 31 December 2020, the expiry of the Brexit transition period:
After 31 December 2020, the Information Commissioner’s Office (ICO) can no longer act as Lead Authority, so you will have to deal with the ICO and your EU Lead Authority. If you are solely established in the UK but your processing is likely to substantially affect individuals in any other EU member state, you will, post-Brexit, have to deal with the ICO and each supervisory authority in each EU member state where individuals are located whose personal data it processes in connection with those activities.
In theory, you could be fined by the ICO and by the supervisory authority in every EU member state where data subjects are affected. If you are affected by this, it would be a good idea to start considering the impact of this and whether it would be worth forming establishments in certain EU member states in order to take advantage of the One Stop Shop.