The Data Sharing Code of Practice was published by the ICO in December 2020, prior to the holidays. As all businesses return to work post the holiday period, they need to be prepared for the Post-Brexit environment across the UK and Europe. The Brexit transition period has ended, and new concerns have risen. However, privacy compliance remains simple with Seers.
Here are the top stories from the privacy world.
Top Stories and Updates
Provisional UK-EU trade agreement and data flows
Beginning 1 January 2021, the UK is now considered a third country for purposes of the EU General Data Protection Regulation (GDPR). As a result, transfers of personal data from the EEA to the UK are prohibited unless the European Commission has taken an adequacy decision or – in the absence thereof – EEA data exporters take further steps to ensure adequacy for personal data, such as entering into the EU Standard Contractual Clauses, implementing Binding Corporate Rules or relying on any of the available derogations in the GDPR.
The ICO recommends that UK organisations, both before and during the Additional Transition Period, work alongside EEA organisations from whom they receive personal data to ensure adequate transfer mechanisms are in place to safeguard against possible future interruptions to data flows.
Read more here
CNIL publishes a guide on data collection related to COVID-19 vaccination
The French data protection authority (‘CNIL’) published, on 30 December 2020, a guide on data collection in the context of COVID-19 vaccination, following the draft decree by the Minister of Solidarity and Health authorising the processing of personal data relating to the management and monitoring of vaccinations against COVID-19 under the joint responsibility of the General Directorate of Health and the National Health Insurance Fund.
In particular, the guide highlights that, as part of this processing, the personal information of people invited to be vaccinated must be collected only for the purpose of the COVID-19 vaccination campaign, monitoring the supply of vaccines and syringes, and carrying out pharmacovigilance and research. In addition, the guide also outlines who will have access to the data, the retention periods of the data, and the applicable data subject rights, among other things.
Read more here
Fines more than doubled in 2020
Fines levied against financial firms for data breaches and compliance failures have rocketed over the last year.
Research by digital transformation firm Fenergo found that 198 fines were imposed in 2020, 141 per cent up on last year, with penalties totalling $10.4 billion.
“2015 was a record year for enforcement actions, but 2020 has the potential to match or top that year’s total if significant investigations are concluded by the end of the calendar year,” says Rachel Woolley, Fenergo’s global director of financial crime.
In terms of data privacy, GDPR fines in 2020 were much the same as in 2019, tapping out at $1.7 million. They are expected to rise exponentially in 2021 as data authorities take control of the Post-Covid situation.
Read more here
International data transfers under New Zealand’s new Privacy Act
New Zealand’s Data Protection Authority has reasonable grounds to believe that the foreign person or entity in question is subject to comparable privacy safeguards to those that apply under New Zealand’s Privacy Act. This act was due because several concerned data subjects have expressly authorised the disclosure of their personal information after having been informed that the foreign person or entity may not be required to protect their personal information in a way that provides comparable privacy safeguards to those that apply under New Zealand’s Privacy Act.
The Act places limitations and constraints on data transfers from New Zealand to the rest of the world.
Read more here
How to prevent fines?
Any non-compliant company can be fined under the GDPR, LGPD, E-Privacy, CPPA, CCPA and other data privacy regimes globally. However, we promise that Seers is here for you, whenever you need any help with privacy compliance we are ready to serve you.
Public notice: Important information on Post-Brexit data protection
While data flows continue even after the transition period has ended, there are serious privacy considerations that can still impact your business and its compliance with the GDPR, ePrivacy and the Data Protection Act 2018. Ensure compliance by hiring an EU/ UK representative to allow your business operations to run smoothly. On top of being a legal requirement, it can help you in navigating your data strategy under the current guidance and directives.
Data transfers and online advertising technologies post-Schrems II
The privacy ecosystem has changed following the Court of Justice of the European Union’s (‘CJEU’) decision on the Schrems II Case. The legitimation of international data transfer flows has changed, directly impacting the regulation of the different technologies and vendors in the online advertising field. Hire a Privacy Expert to handle the emerging data protection needs and the updated data flows.