By John Flynn, Principal Security Consultant at Conosco

The UK has officially left the European Union now that the transition period has ended on January 1st 2021. But this could raise issues with one of the biggest bugbears for many companies – the international transfer of personal data.

Businesses can relax, somewhat – GDPR, which took businesses months to get their heads around, is not being replaced. It will continue as the UK GDPR 2018, and will still be based on the criteria of the Data Protection Act of 2018. However, the UK will retain the right to change the UK GDPR as it sees fit in the future.

The main changes apply to those who receive data coming into the UK from Europe. Transfers from the UK to other countries can continue under existing arrangements.

We know it can be difficult to cut through the legal jargon, so we have simplified what you need to know to protect yourself and your data:

1 – Update your privacy notice

Most businesses do not have the correct clauses in place ahead of January 1st, potentially exposing their liability, should something happen to their data. All company privacy notices online will need to be updated to specifically state ‘UK GDPR’, as opposed to ‘EU GDPR’. You will also need standard contractual clauses in place, which cover both parties – those transferring and those receiving the data.

 The Information Commissioner’s Office (ICO) has a list of what needs to be included in the standard contractual clause here. The ICO will remain the UK regulator for data protection, regularly liaising with each EU member state.

This also applies to Multi Corporate Groups who operate in multiple countries, who need to update their documentation and privacy notice to expressly cover the data transfers.  The UK has applied for an adequacy assessment, which would negate the need for contractual clauses, however this has not yet been approved by the EU.

2 – Data privacy assessments

Any company which runs applications and software should always perform a Data Privacy Impact Assessment. This was also in the guidelines before, but these assessments are now more important for those who outsource their IT operations internationally.

For example, when using a service such as a cloud-based system, the company must be sure that its service provider adheres to UK GDPR and stores the data within the European Economic Area (EEA), or has a binding corporate agreement with the company, where data is stored outside of the EEA. You should also, as mentioned above, make sure that a contractual clause is in place.

3 – Review local legislation

Contracts should now have contractual clauses that specify the responsibilities of the data controller and the data processor. If you are receiving personal data from a country territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers. You should check local legislation and guidance in this case.

4 – Cyber Security health check

The ICO is increasing its capacity and efforts to crack down on data breaches, post-Brexit. Now is a great time for all companies to have a health check to understand their Information Security posture and GDPR compliance. Nobody wants to be caught handling data improperly and fined when it could have been prevented with education and training.

A gap analysis performed by an expert is money well-spent. It’s also a fact that companies that have cybersecurity and Information Security controls are not only able to better defend against attacks but are also far better placed to recover from an attack.

Looking forward

It’s important that all businesses – large and small – are properly preparing their data storage and transferring for the 1st January. ICO has been busy setting examples by fining large, high-profile companies for failing to keep millions of customers’ personal data safe.

It will continue to come down hard on the data breaches of personal identifiable information and special categories of data. The saying ‘prevention is better than a cure’ rings truer than ever this year, and you will thank yourself if you make the efforts to properly store your data now, and not when it’s too late.