The UK's departure from the EU is the most significant development. How will the transfer of data between the EU and the UK work in practice?
Lots of organisations are home to a number of international staff, and conduct business with EEA-based suppliers. You therefore likely need to process personal data internationally as part of your everyday dealings.
It is important that your institution understands the impact that the different scenarios could have on the UK's data relationship with EEA countries.
We are set to leave with a deal on 31 January 2020. At this point, the UK will enter what is known as the 'transition period' for 11 months until 31 December 2020.
During this period, EU data protection law will continue to apply to the UK. The intention is then for the UK to apply for an adequacy decision from the EU regarding its information security practices.
This would mean that at the end of the transition period, the UK would be deemed to have adequate security in place to protect personal data, and no further action would be required to continue the smooth transfer of information between the UK and EEA countries.
We recommend that you keep abreast of the latest developments in the process of the UK exiting the EU, to ensure that you will not be required to undertake further action. This will be particularly relevant if the EU does not grant the UK an adequacy decision, as you may need to consider utilising other methods, such as standard contractual clauses, to facilitate the lawful transfer of personal data.
A practical step that can be taken now is to check your contracts with suppliers and third parties for any mention of transfers of personal data with countries in the EEA. These may need to be amended in the event that we leave the EU without a deal.
It is clear from the full list of fines levied in the past year that the ICO considers information security to be of the highest priority for organisations who process personal data. By way of an example, the final fine of 2019 was for a failure to ensure the security of special category personal data.
If your organisation holds large quantities of personal data, this will make it an easy target for both deliberate attacks, and accidental security breaches. With more advanced malicious methods available on a daily basis, as well as the increased risk associated with our reliance on technology, it is vital that organisations keep up with the latest developments, to prevent them from inadvertently falling foul of their obligations.
We recommend that you conduct a review of your current information security processes and identify any areas that may benefit from a refresher. The point to bear in mind is that your obligation is to demonstrate that you have in place all technical and organisational measures to ensure the security of personal data. This includes up-to-date firewall and virus scanning software, as well as educating staff about online dangers. For example, you may want to consider running a phishing email test to assess the understanding of the community and to look for weak spots.
Individuals now have more awareness of their rights in relation to their own data, especially in the wake of the Cambridge Analytica scandal. You should therefore expect to receive more requests from individuals who wish to exercise their rights.
To prepare for this, you could conduct a review of your current process for responding to such requests efficiently. Staff training is vital, as individuals do not need to state that they are making a request under data protection law, and they do not need to direct it to the most appropriate person (eg the Data Protection Officer). This means that a client or customer may make a request such as "Please may I see a copy of all correspondence with me from the last year" to a junior member of staff, who may not understand that this is a subject access request that carries with it legal requirements (eg around timescales for response). Staff training ensures that requests do not get missed or mishandled.
Training staff and streamlining processes will assist you in responding to requests in a time and cost effective manner, without putting an unnecessary strain on resource.