Data Privacy Day: What businesses should consider
Data Privacy Day is just around the corner – on 28th January – and is a global effort to raise awareness of the importance of protecting personal data.
The day originated in 2006 in Europe, where it is widely known as Data Protection Day, and commemorates the first legally binding international treaty relating to privacy and data protection – the Council of Europe’s Convention 108. Now an annual fixture, governments and data authorities use the day to run campaigns and educational projects to help individuals and businesses understand their rights and obligations around data protection and privacy.
Data Privacy Day extended to the US and Canada in 2008, with organisations such as the National Cybersecurity Alliance (NCSA) using the occasion to educate consumers on owning their online presence, as well as to show companies how to maintain data privacy.
Here are some of the current themes around data protection and privacy that businesses should consider as we approach Data Privacy Day 2021.
Data privacy law post-Brexit
One of the key questions for UK businesses on this year’s Data Privacy Day will undoubtedly be how Brexit impacts local data privacy law. As the General Data Protection Regulation (GDPR) is an EU regulation it technically no longer applies to businesses operating solely within the UK. However, the GDPR was incorporated into UK data protection law from the end of the transition period, so in a practical sense there is little change to core principles, rights and obligations. The GDPR will continue to be adhered to, alongside the Data Protection Act 2018, with some minor amendments to enable it to function in UK law.
For UK businesses that operate in the EU, the GDPR will still apply, and there are additional considerations around data movement between the EU and the UK. For the first four-to-six months after the transition period, a bridging mechanism within the EU-UK Trade and Cooperation Agreement allows the free flow of personal data from the EU or EEA to the UK to continue. This is to enable adequacy decisions to be granted and to come into effect.
During this time businesses should implement alternative transfer mechanisms such as Standard Contractual Clauses (SCCs), to safeguard movement of data from the EU to the UK in the event that no adequacy decision is reached. SCCs are valid tools for the international transfer of personal data as long as they deliver protection equivalent to that provided in the EU under GDPR. Some UK businesses that control or process EU data may also need to appoint EU-based representatives. There are currently no changes to the way businesses in the UK send data to EU countries.
The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority on data protection, and more information about data protection and privacy following the transition period can be found on its website.
Progress of the ePrivacy Regulation
A recurring theme of Data Privacy Day in Europe is the progress of the proposed ePrivacy Regulation; concerned with the protection of personal data in electronic communications. It is designed to expand the scope of the ePrivacy Directive – last updated in 2009 – to cover new technologies such as instant messaging apps, VoIP platforms, machine-to-machine communications and the Internet of Things.
The regulation was intended to take effect alongside the GDPR in 2018, but has not yet been finalised. The latest draft was published on 5th January 2021 with various amendments designed to simplify the text and clarify how the regulation works in conjunction with the GDPR. Even if the latest draft is approved, the regulation has a 24-month transition period and is unlikely to come into force before 2023.
Any ratification of the ePrivacy Regulation may be a way off, but that doesn’t mean businesses should disregard ePrivacy. The 2009 ePrivacy Directive, which was widely known as ‘the cookie law’, is still very much in force. The French data protection authority, CNIL, recently fined Google 100 million euros under the directive for placing advertising cookies on users’ computers without obtaining consent or providing adequate information.
Changes made to the European Electronic Communications Code (EECC) last year mean many communication providers such as messaging apps now fall under telecoms regulation, and need to comply with the ePrivacy Directive where they didn’t before. In the UK, the Privacy and Electronic Communications Regulations (PECR) are derived from the ePrivacy Directive, and were updated in March 2019. More information about complying with the PECR can be found on the ICO website.
Reviewing processes on Data Privacy Day
Data Privacy Day is an ideal time for businesses to review and update their data protection practices to ensure they are always up to date and compliant with data privacy law. They can also take the opportunity to communicate the importance of data protection to employees and ensure they are aware of business practices.
A first step for businesses could be to review their data privacy statement, which is a legal document outlining how the business gathers, uses, discloses and manages customer data. With the GDPR enshrining the individual’s right to be informed about the collection and use of personal data, the data privacy statement is a vital document. It must include information such as the organisation’s contact details, the purpose and lawful basis for data processing, the categories of data obtained, the retention period of data, and the rights of the individual to withdraw consent or lodge a complaint. Information included within the data privacy statement must be concise and provided in clear language that is easy to understand.
Other processes businesses could review include data privacy impact assessments, also known as data protection impact assessments (DPIAs). These should be undertaken for any project where data processing is likely to result in high risk to individuals. A data privacy impact assessment describes the scope and purposes of data processing, assesses necessity and compliance measures, identifies risks to individuals, and proposes measures to mitigate those risks. A data privacy impact assessment helps businesses to show they have considered the risks and met their broader data protection obligations. A checklist for writing a data privacy impact assessment can be found here.
Enforcement of the GDPR in 2018 compelled many organisations to review and update their data processes and practices. But with the data privacy landscape continually changing, this needs to be an ongoing process. Data Privacy Day serves as a valuable reminder to businesses to stay on top of developments and ensure they are compliant with the latest regulations.