Data from Europe if the UK leaves the EU with no deal

If the UK leaves the EU without a deal and you are a small or medium-sized business or organisation based in the UK that needs to maintain the free flow of personal data into the UK from Europe, you will need to take some action.

Putting in place a contract between you and the sender on EU-approved terms, known as standard contractual clauses (SCCs) will be sufficient in most cases. The contract needs to be in place before the date that the UK leaves the EU without a deal.

If you receive personal data into the UK from the EEA (the EU plus Iceland, Liechtenstein and Norway), you need to:

  1. decide whether standard contractual clauses (SCCs) can help you maintain the flow of data
  2. select the right SCCs.
  3. understand the SCCs.
  4. complete the SCCs.

The ICO has produced an interactive tool to help with these steps.

If you are a larger organisation or multinational company, a data protection professional, or you already have well-established transfer mechanisms, the Information Commissioners Office (ICO) has specific guidance on leaving the EU and on international transfers on their website.

Things to think about before Brexit

If you haven’t already thought about it there are some things that you will need to do to prepare your business for Brexit.

Especially if you:

  • import or export goods or services to the EU,
  • exchange personal data (including customers’ addresses, staff working hours or information you give to a delivery company) with an organisation in Europe (this includes using websites or services hosted in Europe & processing personal data from Europe), or
  • you use or rely on intellectual property (IP) protection (this includes copyright, trademarks and patents).

There is a useful step by step guide at https://www.gov.uk/get-ready-brexit-check

Copyright

To put the record straight copyright is an automatic right. Therefore when you produce a creative work you own the copyright in it There are a few exceptions so for example if you have a contract of employment, the contract will generally state that when you are employed the employer owns the copyright of material you produce at work

Copying or adapting someone else’s work is a ‘restricted act’. An adaptation is a ‘derived work’. If someone adapts your work, you still own it. There is no acceptable percentage of changes.

You have every right to object if they publish such a work when you have not given them your permission to do so. You are also entitled to reclaim any money they make from selling your work. They could seek your permission to use the work as the rights owner, however, you will be able to charge a fee and/or royalties for this.

Read more about copyright. If you would like more detailed information about copyright please ask for our Copyright White Paper.

GDPR Myth Busting – We need to appoint a Data Protection Officer

Not necessarily.

All organisations must designate someone to take responsibility for data protection compliance.

Some are required to appoint a Data Protection Officer.

Future thinking organisations are choosing to appoint a DPO, to help regulate their privacy and build a stronger foundation of trust with their customers.

The GDPR allows for organisations to appoint an external DPO based on a service contract.

If you do appoint a DPO you must notify the ICO.

Find out more

GDPR Myth Busting – There is no requirement to register with the ICO

You now need to pay the data protection fee.

The old regime of registration has been replaced with the requirement to pay the ICO a data protection fee unless you are exempt.

On payment, your business is added to the public register.

There are three different levels of fee, based on the risks associated with the personal data processing and depends on a variety of factors including how many members of staff you have and your annual turnover.

The ICO has started prosecuting businesses that are not paying the data protection fee.

Find out more

GDPR Myth Busting – We have to have a Data Protection Policy

No, you don’t. A data protection policy will help you address data protection in a consistent manner and demonstrate accountability, but it is not a legal requirement.

However, individuals have a right to know that you are collecting their data, why you are processing it and who you are sharing it with.

You should publish this privacy information on your website and within any forms or letters, you send to individuals.

What information you supply depends on whether you obtained the personal data directly from the individual or a third party.

It is not good practice to copy other companies privacy notices as it will not reflect your processing activities and this type of superficial compliance is very easy for a regulator to spot and challenge.

Find out more

GDPR Myth Busting – So we just won’t tell them

Compulsory breach notification is in place.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You must keep a record of all personal data breaches.

You have to notify the ICO of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. This has to be done without undue delay, but not later than 72 hours after becoming aware of it.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those concerned directly and without undue delay.

If you are a data processor you are under an obligation to notify the data controller, but not the ICO.

So for example not using the bcc function on an email to a number of recipients is a potential data breach. This should be recorded but will not need to be reported to the ICO unless the email contains information which has a privacy risk such as home address details. If the email contained bank account details there is a potential for fraud and this would need to be reported to the ICO and the individuals concerned.

PS if you get an email that should have been bcc’ed do not hit ‘reply all’ to tell the sender of the issue as you are committing a data breach yourself.

Find out more

GDPR Myth Busting – The ICO will impose massive fines for data breaches

The Information Commissioner can issue a monetary penalty for failing to comply, there are two tiers:

1. The highest €20 million Euros or 4% of the total annual worldwide turnover, whichever is higher. This applies to any failure to comply with the data protection principles, any rights an individual may have, or in relation to transfers of personal data overseas.

2. If there is an infringement of other provisions, the standard maximum amount will apply, which is €10 million Euros or 2% of the total annual worldwide turnover, whichever is higher.

You are likely to incur the wrath of the ICO if you persistently, deliberately or negligently flout the regulations or misuse data. The ICO’s have stated that this will particularly apply to large companies in the technology sector. However many small firms fear the ICO will be heavy-handed in dealing with non-compliance. The Information Commissioner herself has said that small businesses which did not make extensive use of customer data would not come under close scrutiny.

Accountability is one of the key data protection principles – this means that you must be able to demonstrate your compliance. For most small businesses this means you should identify your Information Assets and record what Personal Data is held, where it came from, who you share it with and what you do with it in an Asset Register.

Find out more

GDPR Myth Busting – If we receive a deletion request we have to delete everything about them

The Right to be forgotten (or the right to erasure) is not an absolute right and does not apply where there is a lawful reason for the continued processing.

HR records often present issues. For tax purposes, you need to keep records of people who have worked for you for 7 years, including a name, start date and termination date. But you are unlikely to have a lawful reason to keep other information such as emergency contact details, passport scans and bank details.

You should set out retention periods and securely delete unnecessary data, in hard copy and electronic formats including backups, when it is no longer required.

This also makes it easier to respond to a data subject access request, as if you don’t have the information you can’t supply it.

Find out more