What Brexit and coronavirus mean for GDPR
Last month marked three years since the introduction of the General Data Protection Regulation (GDPR). Though the contents of the law have remained unchanged since 2018, Brexit and coronavirus mean that it is being enforced in a much different world than it was before.
Despite the UK having left the European Union (EU), both parties have kept up the data flow between them as part of a bridging agreement.
This agreement is due to expire at the end of June, at which point the EU will decide whether or not the UK’s now separate GDPR legislation is adequate and in keeping with its own laws.
HR GDPR queries:
- Health tracking
- When data collection becomes spying
- GDPR and AI in recruitment
- Cyber security post-COVID
The main question the EU will be asking in its assessment of UK GDPR is whether or not people can enforce their data protection rights in the same was as they would be able to under European regulations.
The legal structure of UK GDPR is currently the same as Europe's, but Brexit means the government could theoretically make changes. Material changes seem unlikely, however.
Speaking to HR magazine Sarah Henderson, senior associate at pensions law firm Sackers, said: “The reality is that whilst it's important for the UK on the whole to be able to freely share data with entities in Europe I think any changes that the UK make will be done in such a way as to not interrupt those data flows."
Henderson added that remote work and the resulting rise in cyber security breaches during the pandemic has also created new concerns for GDPR.
What does HR need to know?
One of the main queries for UK GDPR in 2021 concerns companies that have operations in the EU as well as the UK.
“If we don't get an adequacy decision from the EU at the end of June, then the bridge stops and it's necessary to make sure that you have alternative safeguards in place so that the data belonging to people in the EU is adequately protected when it comes to the UK,” Henderson explained.
The Information Commissioner's Office (ICO) initially advised employers to introduce additional safeguards for their data by the end of April in case the EU doesn’t make its decision in time, if at all.
To prepare for any changes to GDPR that could materially affect employees, Henderson advised HR to take stock of where company data is stored.
“Data mapping or having an idea of where your data footprint is really important – where your key service providers are and where your data is coming from,” she said.
How a pensions scheme administrator operates, for example, would be a key area of interest.
Henderson explained: “If they’ve [the pensions administrator] got cloud data provider that is based, let's say in Belgium, that cloud provider is going to need to send a huge amount of data to the UK from the EU.
“That would be a critical scenario in which you would be looking to get extra safeguards in place.”
Sackers is also advising companies to undertake a security health check on their data to mitigate the risks of cyber security breaches.