Brexit & UK GDPR
Now that Brexit is here and data protection laws are more complicated than ever (see our Brexit blog), I wanted to highlight some best practices on managing personal data that continue to apply even after Brexit.
Following the UK‘s‘ withdrawal from the European Union (and the end of the one–year transition period on 31 December 2020), the EU GDPR is now retained in UK law as the “UK GDPR“. The UK GDPR demands the same level of accountability from UK organisations as the EU GDPR. So, the aim should not be about “not being caught out“ but rather that, from the outset, you treat personal data in your organisation with the same approach as you would take with your own personal data.
The “do as you would be done by“ philosophy is a great starting point for developing a privacy and data protection strategy. That said, although you might already be in the right place ethically, you may very well be overwhelmed as to where to start.
A great place to start is to work out where you are by auditing your current data and data processing activities. A data mapping exercise of this kind will help your organisation identify the areas of its operations conducting high–risk data processing activities. Identification will allow you to develop an effective mitigation strategy focused on the “real” risks, which will save your organisation time, money, and resources. You can do this in-house by building a task team, or you can seek external help from specialists like Orbital Law.
How Should You Begin
Either way, you need to start by preparing a plan to cover what you want to achieve (i.e., the business objectives), the required outputs (i.e., the high–risk areas), business/senior management stakeholder support and available resources to manage the exercise.
This exercise will likely deliver a data map – a visual record of the data you hold, your processes and how the data flows around the organisation.
This useful tool also allows the senior team to consider the business’s legal grounds for holding the data, for example, “consent“. There is a full list of these on the ICO website.
You need to be able to demonstrate these legal grounds – both to the ICO, and more importantly, in your privacy notices to individuals who chose to share their data with you.
Remember also that if you are trading with EU citizens and processing their data, you will need to adhere to the EU GDPR rules irrespective of Brexit.
You may also consider appointing a Data Protection Officer or DPO to oversee your data strategy. It is another way you can demonstrate to the ICO that you are taking privacy laws seriously.
Insure the Risk
Finally, a note about insurance and risk mitigation: it may be that your business has decided that cyber insurance is the best way to mitigate the risks around data management and data breaches. That said, do not assume that your insurance has all the bases covered. As part of your audit, it is worth checking to see what your cover gives you.
The ICO website is an excellent resource for more detail on this subject. If you would like to speak to us about Data Audits or appointing a DPO, please contact us at Orbital Law today.