In this guest blog, Dr Sam Chapman, Chief Innovation Officer, Co-Founder and Director of The Floow, explains a recent CJEU judgement that has fundamentally changed the data protection landscape. He advises that all digital and tech firms making data transfers should perform a risk assessment in line with the new laws, which relate specifically to the removal of ‘adequacy‘ (between the EU and US) and ‘privacy shield‘ (allowing trusted data transfer) underpinned by adequacy. We’d like to thank Sam for shedding some light on this complex issue which we know will be of concern for many of our members.
Firstly, I should be very clear that I’m not an expert in data protection or law, yet anyone who works with data does need an understanding to ensure compliance in data handling. This is not expert opinion so I would recommend much wider reading on the subject. I am sharing this post merely to help inform other digital firms in the region so you can judge your own best practice and, when required, seek advice or expertise from accredited professionals.
It is clear that very few (if any) organisations let alone innovative digital firms can survive today without processing protected data. This could be: core digital processing tasks, email and messaging, handling client contact data, using remote data storage and compute processing, simple online document and record keeping or the use of HR and payroll systems with third party providers.
Whatever the reason that any (and I mean any) data is captured, held, processed or transferred it is vital to maintain an in-depth understanding of its compliance, geographies and legal protection.
This usually means following good practices and emerging guidance, and keeping up with changes in data protection legislation. Unfortunately in the digital world where data can be processed remotely and touched by multiple agents, this means not only being cognisant of national laws but also being compliant globally. Wherever data transfers between businesses, customers, geographies, or wherever data is stored or processed, compliance must be ensured throughout all of this.
This is often not a straightforward task given the use of third party services and remote compute and storage capabilities. Crucially, it must be understood that good practice, guidance and underlying laws constantly shift.
Of course, this is nothing new. When GDPR was first proposed it was met with appreciation for the added protections that it may bring citizens, but also worries at the headaches of ensuring compliance adding complexity to businesses.
Although this regulation remains key, please remember that it is underpinned by trade treaties and other international equivalent ‘adequacy’ agreements. All of these are subject to change as geo-political and court decisions set precedents ultimately altering what all firms and countries should and should not do.
All digital firms in particular must pay attention to these changes to ensure ongoing compliance for all data held, transfered or processed.
A recent change to the data protection landscape
For instance, the recent CJEU judgement (triggered by legal battles against facebook) has consequently and immediately removed international agreements, fundamentally changing the data protection landscape yet again.
The most important impacts of this include the removal of ‘adequacy’ (between the EU and US) and ‘Privacy Shield’ (allowing trusted data transfer) underpinned by adequacy. In other words, since this judgement any protected data sent to or from any point in the US has the potential to be in breach of GDPR.
Given the strength and global usage of US digital platforms, tools and data services this requires special consideration to ensure ongoing compliance for firms of all sizes. Current advice from the European Data Protection Board (EDPB) states clearly that “there is no grace period for any data transferred previously under Privacy Shield or adequacy protection and that any data transfers on the basis of these legal frameworks are now illegal”.
What’s worse, countless third party firms and services do not have adequate protection for the services that many still take advantage of.
What does this mean for you?
So what is the current advice? What should firms do to remain compliant? Does this change what data or services we use? Will it change customer demands?
Unfortunately, official advice still remains very limited despite further work currently underway by the European Commission, the EDPB and the UK’s Information Commissioner’s Office to provide more comprehensive guidance on extra measures all firms ‘may’ need to take.
Despite this current gap in official guidance, outline advice has stated that all firms should have taken stock of all international transfers so to enable swift reaction promptly as any guidance and advice becomes available. This means immediately stopping any transfer protected by EU/US adequacy or Privacy Shield. This also means that all firms should maintain their own register of data transfer channels and processing channels with a good knowledge of what legal protection is in place for each one under relevant geographies.
For any UK tech firm without this information in place, ensuring it is collated and that communication channels are legally permitted, especially given the CJEU ruling, should be done as a matter of urgency.
In many cases little action is needed as transfer ‘could’ be protected under Standard Contractual Clauses where it is possible to express protection to an equivalent level for GDPR to be valid. However each agreement must be evaluated separately in a risk review.
Ultimately, all firms should have undertaken a risk assessment which examines all data transfers to clarify under what terms each data transfer is made. This will become essential following BREXIT completion, whereby the nature of adequacy between the UK and many other nations may become less clear and is likely to change. If not prepared for, this could damage digital businesses in the region.
Are you prepared? If you are not sure, please check and check this again!