Things are set to change again, with a raft of recent developments including the announcement of new data protection laws in the Queen's Speech, which could see the UK moving further away from the EU.
We look at some of these recent developments and some of the practical issues that organisations should be considering as part of their data protection compliance.
The good news for the movement of personal data between the EU and UK and vice versa is that the EU recognises the UK (currently) as having adequate data protection laws. Likewise, EU member states, plus a handful of other countries, have the benefit of a UK adequacy finding, meaning that personal data can be transferred to these countries from the UK without additional steps for compliance.
For other countries, such as the USA, China and Australia, you will usually need to find a safeguard to make the transfer from the UK lawful. The applicable safeguard in many cases will be to use the International Data Transfer Agreement (IDTA) prepared by the ICO (the UK's data protection regulator). The IDTA came into force in March this year and will replace the old standard contractual clauses (SCCs) - which are derived from the EU's position on international data transfers. The IDTA and the SCCs can both be used until 21 September 2022. After this date, the SCCs cannot be used in new contracts but will remain valid for contracts already signed until 21 March 2024.
Organisations should therefore think about using the IDTA now for new international transfers of personal data. The IDTA can be used as a standalone document or, perhaps more likely, included as a signed appendix to a wider agreement.
In many respects, the IDTA is an improvement on the SCCs. For example, there is far greater use of 'plain English' and it contains a number of prompts which will help organisations think about practical points such as information security. However, the IDTA is potentially more onerous in that it arguably places a higher compliance burden on the parties compared to the SCCs. In addition, if the ICO updates the model IDTA then the changes will become binding on any IDTA that has already been signed.
In light of these concerns, some organisations have decided to continue using the old SCCs for new transfers up until the last possible moment (ie 21 September). Whether to switch to the ITDA now or continue using the SCCs for the time being will require careful judgement.
The IDTA is only half the story. Organisations must also risk assess the transfer and, if needed, put in place additional safeguards. The sorts of factors that should be fed into the risk assessment include whether the IDTA (or SCCs) are likely to be enforceable in the other country, the sensitivity of the personal data transferred and the risks of third party (particularly foreign government) access to the data. The additional safeguards might include further contractual provisions on top of what is already in the IDTA / SCCs, encrypting the data or requiring the recipient party to provide training to staff.
The ICO published draft guidance on the risk assessment last year. However, things have moved on a lot since then and the final version, which is due to be published imminently, will likely be quite different. In light of the direction of travel as evidenced by the consultation (see below), l anticipate that the guidance will take a proportionate and risk based approach to data transfers and the ICO are unlikely to want to be seen to be unnecessarily inhibiting international data flows. Nevertheless, the risk assessment is an important part of the process and organisations need to evidence that they have carried out the assessment and that they have implemented any required additional safeguards before the transfer takes place.
The announcement of new data protection laws in the Queen's Speech follows on from the Government's consultation last year on reforming the UK GDPR and the Data Protection Act 2018, which together make up the bulk of UK data protection law.
It is clear from the consultation that the government is aiming for a more 'light touch' regime. The consultation document emphasises the importance of using personal data as a driver for growth and innovation. There is of course a risk that a leaner regime might not have all of the safeguards and protections for individuals that are currently in place.
The reforms mooted in relation to automated decision making are a case in point. Automated decision making essentially means using a computer to make a decision about an individual, for example whether to hire someone for a job. If an individual is subject to a solely automated decision, and it relates to something that significantly affects them, then they are usually entitled to a human review of the decision. The government is considering removing this right, so accusations around the use of "rogue algorithms" may well become even more common in future. On the other hand, the government makes the point that the other safeguards in the UK GDPR may be sufficient without the need for the human review safeguard.
There is also a move to reduce "red tape", for example in some cases by reducing data protection documentation and accountability obligations and doing away with the requirement to appoint a data protection officer.
We are seeing an increasing number of cyber-attacks and data breaches. Data protection laws require organisations to take 'appropriate' measures to safeguard personal data. The vast majority of data protection fines have resulted from information security breaches. As such, information security is arguably the most important area of data protection compliance to get right.
The government's National Cyber Security Centre contains a significant number of resources to help organisations address cyber risks. These include extensive technical guidance for organisations on how to secure their systems as well as some clever tools to help identify threats. For example, the NCSC's Early Warning service is a free tool that will apparently warn you if your network is being attacked.
Whilst we have seen a number of clients fall victim to sophisticated cyber-attacks, in our experience, most data protection breaches happen as a result of human error, whether that is a member of staff clicking on a suspicious link, emailing a confidential document to the wrong recipient or leaving papers on the train. It is vital to make sure your staff have been given training on data protection compliance. This training should be backed up with appropriate written policies, containing practical guidance on the everyday 'dos and don'ts'. Not only will these steps reduce the risk of something going wrong but will count significantly in mitigation, should the worst happen.
Things are not staying unchanged for long. It is worth keeping an eye on developments, including the content of the new data protection laws as well as the ICO's risk assessment guidance.