Data Protection Update (LSWG)
At the time of writing, the UK has not been granted data protection ‘adequacy’status post transition. Unless this status is granted by 1 January 2021,the EU will consider the UK a ‘third country’ in data protectionterms.
By Dr Elizabeth Lomas, Associate Professor in Information Governance, University College London and Fred Saunderson, Rights and Information Manager, National Library of Scotland on behalf of LSWG.
This is a critical moment for information professionals as the UK approaches the end of the agreed Brexit transition period on 31 December 2020. The Government has made provisions for existing data protection law to continue after the end of the transition, in the form of the ‘UK GDPR’ and the existing Data Protection Act 2018. However, there will be changes that our readers will wish to prepare for.
At the time of writing, the UK has not been granted data protection ‘adequacy’ status post transition. Unless this status is granted by 1 January 2021, the EU will consider the UK a ‘third country’ in data protection terms. The main impact will be implications for the transfer of personal data from the EU/ EEA to the UK, which includes many cloud-based services.
Without ‘adequacy’ status, the EU GDPR requires additional safeguards to be in place before data may be transferred. Those in the UK should take action to ensure their processes are ready for a ‘no-adequacy’ end to the transition period. Data controllers in the UK may need to take steps to ensure that agreements, policies, and privacy notices are up to date and reflect the status of the UK GDPR. Standard contractual clauses have been released. Further information is available here. In addition, UCL has produced a report on the cost of data inadequacy which is available here.
Finally, we wanted to highlight the ICO’s new Guidance on Subject Access Requests. The LSWG responded to the consultation on this but additions have been made that were not part of the consultation, including the potential to introduce charging through the back door. This is by means of charging a fee if a request is deemed to be ‘manifestly unfounded’. Further information highlighting key changes is available here and the full guidance is available from the ICO here.
 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
Tuesday, 01 December 2020 12:31