Brexit : is the UK leaving the GDPR too ?

Brexit-GDPR.png

On the 15th of January 2019, British parliament has voted massively against the Brexit deal UK Prime minister Theresa May has been negotiating for months now.

This means the “no deal scenario” is getting more relevant than ever.

Apart from all the economic consequences, there will also be a huge impact on the transfer of personal data between the EU and the UK. 

In the event of a no deal Brexit, on 29 March 2019 the EU GDPR (the EU’s General Data Protection Regulation) will be brought into law in the UK through the European Union (Withdrawal) Act 2019. If a withdrawal agreement comes into effect, and with it a transition period, the EU GDPR may also continue to be applicable in the UK as an instrument of EU legislation. 

But on the expiry of any such transition period, or in the event of a no deal Brexit, the country will have its own, standalone regime - rooted in the EU GDPR but capable of modification by future UK governments (the “UK GDPR”).

In this case, the UK becomes a “third country” as described in chapter V of the EU GDPR

That would mean that any transfer of personal data between the EU and the UK must meet one of the legal requirements as set out in the EU GDPR.

On the 13th of December 2018, the UK government already stated that they will grant an adequacy decision to the 27 EU member states in case of a no deal scenario.

This decisions states that: 

  •  the EEA Member States are recognized as “adequate” for the purpose of the UK GDPR (allowing the free flow of personal data from the UK to the EEA)

  • the UK will adopt adequacy decisions to date by the EU, allowing transfers of personal data to continue from the UK to countries such as Guernsey, Israel and US companies which are Privacy Shield signatories

  • they will recognize the EU standard contractual clauses as a valid means of transferring personal data from the UK to international recipients outside of the EEA

However, no indications so far show that the EU will mirror these statements.
In this case, multiple scenarios are possible and these scenarios will determine what companies will need to do to remain compliant:

  1. The EU grants the UK an adequacy decision. Meaning : the EU considers that the UK adequately protects data, so transfer of personal data can be continued without any further protective measures.

    However, the EU already made clear that this is not going to happen in short notice, as they have no guarantees that UK legislation will continue to protect data in the same way Europe does.
    The procedure to grant an adequacy decision could start no sooner than the 29th of March 2019, when the Brexit official is a fact and typically takes several months, if not years.

  2. More likely: No deal and no adequacy decision, so the UK becomes a third country and companies processing personal data from people in Europe, will need to comply to the GDPR on their own.

    • Appoint representatives
      Both the EU GDPR and the UK GDPR will require controllers to appoint representatives as required by Article 3(2) of the EU GDPR. UK GDPR will replicate this requirement.

    • Relations with supervisory authorities
      Organizations that are in scope of both EU GDPR and UK GDPR after the Brexit (regardless of the “deal” or “no deal” scenario) will be under the jurisdiction of at least two supervisory authorities.
      As long as it remains unclear how this will be handled, companies will need to comply with the ICO for the UK part, and choose a lead supervisory authority in the 27 remaining EU countries for any cross-border transactions.

    • Role of the DPO

      Where a DPO has been appointed, organizations should consider whether that DPO can still perform that role under both regimes, given that in the future, that person will need to have suitable expertise in both EU and UK privacy laws.

    • Remain compliant

      On Brexit, a number of steps are important to remain compliant, both for companies in Europe and in the UK :

  • Update your existing policies and procedures like privacy notices, register of processing activities, Binding Corporate Rules etc…

  • Make sure you have appropriate safeguards in place when transferring data to and from the UK

  • For UK companies operating across Europe: review structure, processing operations and data flows to make sure they apply to the changed situation.

  • Review all privacy information and internal documentation to identify and details that will need updating on Brexit

Both the ICO (Information Commissioner’s Office) and the Irish Data Protection Commission have posted guidelines on what British companies should do if that becomes reality on the 29th of March 2019.

GDPR is dead, long live GDPR

GDPR 2019.png

First of all, at the start of this new year, it is time to wish you 

The very best for 2019.

Now with this new year, most of the GDPR hype is over, we got rid of all the emails requesting for our consent and the media have discovered other items to talk about.

For those that have already gone through the effort of adapting their way of working to make it GDPR compliant: congratulations!

For the others:

The best time to prepare for GDPR was yesterday.

The next best time is today …

As the deadline of 25thof May is already long overdue, there is no more need for quick and dirty solutions, we can stop all the window-dressing and set up a decent organization, in line with the company standards and above all, with a pragmatic approach that does not disrupt our business.

We are lucky in Belgium that our DPA in Belgium (Data Protection Authority), has not started massive controls yet, so that gives us a little breathing space to get compliant.

But that should not at all be an excuse for ignorance!

As said before, if you go through the process of getting GDPR compliant just to avoid the fines, you haven’t understood the message.

Your employees, your customers, and all your other contacts deserve respect for their privacy and the (personal) data they entrust you. They are the ones that will benefit from this project and they will finally decide if they want to continue doing business with you…

Now, what are the top 5 items to focus on in 2019:

  1. Have your privacy and cookie policies updated in line with GDPR

    By doing this, your visitors know what happens with the data they leave behind, and you already give a clear signal that you care.

  2. Negotiate the necessary data processing agreements

    All subcontractors involved in the processing of personal data on your behalf should sign one.
    Not only will they be motivated to respect the rules on processing of your personal data, but you will also have a better insight in the quality of your subcontractors

  3. Have an information security framework in place.

    We based our approach on ISO27001, a worldwide renowned framework that will give you a clear overview of your current security status. This will be a baseline for further improvements and will provide an extra security guarantee to your customers

  4. Setup a risk management platform

    We call it a DPIA (Data processing impact analysis) but here again, you will benefit twice, as they will provide you with much more management information than what is required for the GDPR

  5. Start creating privacy wareness on all levels.

    GDPR is not a project for legal and IT departments. They are the ones leading the way, but they can only succeed when everyone within the organization is involved.

Now, how about outsourcing this project? 

We are best placed to take it out of your hands, so you can focus on your core activities.

Our team of highly experienced specialists has all the templates ready, can organize the necessary trainings and workshops and has you up and running in no time …

Contact us to get a detailed budget estimation, you might be pleasantly surprised …

 

6 months after the GDPR : are we there yet ?

The panic towards May 25th has gone, business continues as before and a large majority of the Flemish organizations admit they are nowhere with regard to GDPR compliance.

A study of Wolters Kluwer, a major publishing company in Flanders, reveals that 12 % of our companies has done nothing yet, almost half of our organisations does not even have a register of processing activities and 94% admits they are in a responsive mode : they will take action once the requests start to come.

https://gdpr.wolterskluwer.be/nl/nieuws/gdpr-na-6-maanden-zijn-we-er-al/

Unfortunately, as our Belgian DPA apparently only exists on paper and most of their members still need to be officially appointed by the Belgian Parliament, and they clearly announce in the public press that they are not ready for issuing controls nor for imposing fines, the pressure for our businesses is not extremely high.

But you shouldn’t comply to GDPR or whatever privacy regulation to avoid fines …
Complying shows respect to your employees, to your customers and to whomever trusts you with their personal data. So the next best time to react is TODAY, as the best time already has expired …

GDPR : Legal or IT stuff

We've assigned our corporate legal department 
to take care of the GDPR

You can't argue that, for sure. The GDPR is a regulation, with 99 articles, together with 173 recitals. So there is no discussion : this is the domain for lawyers and legal counsels.
So it is understandable that companies think of their legal department first to assess the impact of the GDPR on their activities.

And if all goes well, your lawyer will translate the regulation into readable and understandable instructions, and provide you with a prioritised list of topics for your business. He will also interpret certain articles that the European regulator left open for discussion, and, based on his own experience, advise you how to tackle them.

But unfortunately, from that moment on, you will have to take care of things yourself. Indeed, the instructions of your lawyer will need to be implemented into your organisation.
Your staff needs to be trained and the necessary awareness created. Policies and procedures need to be put in place and all processing of personal data must be registered.
You will probably need a number of processing agreements with suppliers with whom you share personal data, you will need templates for consent forms ...
You will need an adequate procedure to respond in case of a data breach and when an individual wants to execute his rights as a data subject, you will have to make sure he gets a proper answer in due time.

And, although your lawyer is certainly a key person in this project, he generally is not the most appropriate party to take care of this practical approach.

On top of that, a very important aspect is the integrity, confidentiality and security aspect of personal data, requested in article 5 of the GDPR. And by extension of all your data.
Indeed, what's the use of having a clear privacy statement on your website, of allowing your contacts their right of erasure, right of rectification, right to object etc...., if you cannot guarantee the security of those data. And also for these aspects of the GDPR, your lawyer or legal counsel will rely on the information security specialists to take care of things.

Precisely in these domains, our proven approach will help you to plan, budget and implement the GDPR in your organisation.

Based on the ISO27001 framework, we have developed a system that gives you a clear view on your current situation. You get an overview of all domains of information security, off course with clear references to the GDPR. It all starts with a number of interviews of key people in your organisation. A list of specific questions gives us a detailed insight on your way of working and potential issues for your information security. The results of those interviews are summarised in a practical dashboard that will be the guideline for future actions and improvements.

Together with your management team, your legal counsel and your IT-staff, we budget, prioritise and plan the necessary actions. We start with the low hanging fruit, so you can immediately show some results and assist you all the way in becoming GDPR compliant.

And if, in a later stage, you want that official ISO27K certification, you are already on the right path…

Contact us via privacy@serve-it.be for more information.

Does my organisation need a Data Protection Officer ?

DPO.jpg

First of all: what does GDPRP regulation say?

Controller and processor shall designate a DPO in any case where:

  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 

  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. ·     

A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.

So, in plain, human language:

  • if you process sensitive personal data or if you process large amounts of personal data on a regular basis, you need to assign a DPO

  • However, this DPO does not necessarily need to be a staff member and he does not need to be fulltime in your company.

On the other hand, every company, small or big, that is processing personal data, is subject to the GDPR regulation.

So even if, on a purely legal basis, you do not need to assign a DPO in your company, it might be a good idea to at least have someone with the proper knowledge who guides you through all the obligations you have in regard to data privacy.

That’s why Serve-iT is your preferred partner to provide you with a “DPO as a Service”

  • Serve-iT assists you with all your data privacy and data protection questions

  • Your staff gets trained and we setup your awareness campaign in regard with data privacy

  • We assess your current maturity towards GDPR and e-Privacy regulations

  • Based on that assessment, Serve-iT will guide you in your implementation projects

  • We assure the necessary follow-up (strategy, legal context, framework, procedures, information management, tooling)

  • We organize, steer and follow-up your Data Privacy Impact Assessments (DPIAs)

  • We organize and monitor internal audits

  • When necessary, we maintain all necessary contacts with the Data Protection Authorities (DPAs) as well as with the Individuals that request to execute their rights (Rights of the Data Subjects)

Off course, you want to get rid of all those obligations? You prefer to spend your valuable time on your core-business !



Privacy in the Middle East

An often heard statement while we were in Dubai : “Europe can not come and tell us how we need to work over here, can they ?

Well, indeed, you are absolutely right. But maybe your customers will.

Are you prepared to risk contracts and customers by not being able to demonstrate you respect their privacy ???

GDPR being one of the most stringent regulations in the world, work towards compliancy with GDPR as of today and as a free bonus, get ready for all privacy regulations all over the world.