Ten days before BREXIT, MyData-TRUST would like to provide more practical GDPR specific information.
December 21, 2020
From 1 January 2021, the United Kingdom will become a third country for the purposes of EU General Data Protection Regulation. Despite the fact that UK data protection law is very similar to GDPR, this event will impact a number of formalities and adjustments will need to be made. Active negotiations over the last months put many organizations in the “wait and see” mode without a clear view on what needs to be done.
However, with Brexit being just days away, here are six action items that MyData-Trust recommends to all organizations who want to ensure they are ready for the changes in data protection law if not yet done:
Analyze whether you are subject to European and/or UK data protection law. For example, if you are a UK company offering goods or services to individuals in the EU (or if you are acting as a sub-contractor), you may need to comply with UK law while continuing to be subject to EU GDPR .
DPO notification (UK based organizations)
With the UK not being part of the EEA, there is no lead authority within EEA anymore; therefore, DPO will need to be notified to DPAs of all EEA countries where processing activities take place
If you are a UK-based company that continues to be subject to the EU GDPR, you may need to appoint a representative (DPR) under the applicable data protection rules. Conversely, a company established in the EEA and having activities in UK, may also have an obligation to appoint a DPR in the UK. Note: if you appoint a DPR, remember it needs to be named in notifies, including patient information for clinical trials (see below)
Internal records and procedures
Update the register of processing activities, required by both the EU GDPR and the UK data protection law, because if processing is to be subject to dual regulation, it must accurately describe which processing is subject to which regime. It should also define which supervisory authorities will supervise the processing activities. Also check that internal policies and procedures are up to date and start revising them if needed.
EEA/UK data transfers
Review all data flows which involve UK – EEA data transfers, assess if processing activities are still ongoing and check the contracts as you may need to amend them (in particular if the European Commission does not rapidly make a finding of adequacy under UK data protection law.
Ensure that your Privacy notices are up to date and consistent with the changes brought about by the new UK legislation, in particular in relation to transfers and applicable data protection regimes.
Your DPM/ DPO at MyData-Trust
Your DPM/ DPO at MyData-Trust is available to help you to identify from the list above what needs to be implemented and set the priorities. We can also act as your DPR (if not already the case) and respond to your needs depending on your situation and location.
If you have any questions, please contact us. MyData-Trust team will put all their efforts to support and sustain your activities involving personal data.
GDPR SUMMIT applied to health data 2021
To discuss this interesting topic together, we invite you to register to our next GDPR SUMMIT which will be focused on 3 topics:
- Are instruments of data transfer sufficient? Focus on standard contractual clauses, Schrems judgement, AdHoc clauses
- Limits and opportunities of derogations. How derogations provide (or not) solutions in case clauses are not acceptable?
- Brexit; What we know, what we still do not know? How companies should react?