Why being Adequate is adequate
By Aim's data protection experts
February 2021
The world we live in is often full of extremes, we must go faster, dig deeper, travel further and have more “friends” than the next social media addict. So it may come as a surprise that in data protection terms, the non-extreme word “Adequacy” is the watchword at the moment for the UK. As its name would suggest, it’s low key, so low key in fact you might not realise it’s there. So what is it?
Let’s take a step back. Within the EU, data protection is governed by the application of the GDPR. This means personal data can flow freely between EU members states, since they all adhere to the same regime. The UK used to have the same rights, but with Brexit, even though we have enshrined the GDPR within our Data Protection Act (DPA 2018), we are no longer considered to be an Adequate country, which means EU residents’ data cannot flow freely from the EU to the UK.
Is this a problem, well yes it could be. At the moment, the UK has a grace period until the 30th April 2021, which can be extended to the 30th June, but after this time, if there is no Adequacy agreement, companies that process EU resident data within the UK will have additional administrative overheads to consider when moving personal data to the UK. As we all know, additional processes equate to additional cost, which could have a significant impact for many UK businesses.
Is an Adequacy agreement on the horizon? Yes it is, but although it might happen, there are a few potential issues. These include: unforeseen changes to the UK data protection regime in coming years, meaning that the EU will only give Adequacy for four years, at which point it needs to be reassessed. In addition, the demise of Privacy Shield due to the Schrems II ruling means that additional measures may be required to ensure that the UK does not become a way-station on the way to the US, and then there’s the EU’s concern that UK intelligence services might send data to their US counterparts.
Whilst there is every likelihood that Adequacy will be granted, companies who use EU residents’ personal data need to keep their ear to the ground to ensure they are in a position to react and implement new processes if things change. It’s essential that organisations take this seriously, since the penalties that can be imposed by the EU are significant. The first step is to ensure you have a good understanding of the data you hold, how it’s processed and in particular where it’s stored and how it’s moved. Using tools like Aim’s dataBelt® can significantly reduce the time required to complete these data management activities, and in addition will put you in a better place to manage subject data access requests, or demonstrate compliance with the DPA 2018 to the ICO, should there be a data breach.
More:
Data breaches: what should you do if they happen? Our 30-minute GDPR Data Breach Training gives you an understanding of what data breaches are, what the GDPR says about them and how you should deal with breaches if they occur. Access our training here.