The UK left the EU and the transitional period ended on 31 December 2020.
The GDPR was incorporated into UK data protection law (such as the Data Protection Act 2018) as the “UK GDPR” before the UK left the EU. There is little change to the core data protection law in the UK before and after the Brexit. The UK GDPR applies to you if you operate in the UK and/or deal with individuals in the UK.
Q1: What is the current position in terms of the GDPR?
The UK GDPR restricts transfers of personal data outside the UK unless the individual’s personal data is protected in another way.
The UK has “adequacy regulations” in relation to the European Economic Area (EEA) countries, EEA offices/agencies, Gibraltar, the countries/territories covered by the EC’s adequacy decisions (e.g. Guernsey, Isle of Man, Jersey, New Zealand, Switzerland etc), so there is very little issue for us in the UK to transfer personal data to these countries/territories. There are other territories on which the UK has adequacy decisions.
With regard to the transfers from the European Economic Area into the UK, the EU GDPR rules apply, and we have yet to see an EC adequacy decision adopted at the time of writing this blog. As part of the new trade deal, the EU is to delay transfer restrictions until 30 June 2021 (this period is called the “bridge”), which means that there will be restrictions in data transfers from the EEA to the UK after this “bridge” period unless an adequacy decision is made in the EEA side.
Q2: We are based in the UK. What should we do during the “bridge” period?
This is the time you should review your policies which touch your data protection system and practice, and to ensure that everyone in your organisation and your suppliers/contractors who deal with your data implement your policies in accordance with the UK GDPR. If you are to receive personal data from the EEA countries, you should put alternative safeguards in place as soon as possible for smooth transfers.
You might also be involved in other international transfers of personal data. You should check the list of countries/territories (or the sectors in some cases) covered by adequacy regulations. You must be satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK GDPR.
Q3: But what is “personal data” anyway under the UK GDPR?
The Data Protection Act 2018 (DPA 2018) defines “personal data” as “any information relating to an identified or identifiable living individual”. By saying “identifiable living individual”, the DPA 2018 means a natural living person who can be identified in reference to “name, an identification number, location data, or an online identifier” or “specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual”. The “data subject” means the identified or identifiable living individual to whom personal data relates.
Q4: What about data relating to a company?
Information about companies or public authorities itself is not categorised as “personal data”. But information about the individuals acting as sole traders, employee, partners, and/or company directors may constitute personal data.
Q5: So, is a corporate email address personal data under the UK GDPR?
Potentially yes. When a corporate email address clearly relates to a particular individual, an email address is personal data. But if the email address is not identifiable with particular individual(s), then it would not be so. The Information Commissioner’s Office (ICO) says that business data such as a work email address (as long as it doesn’t contain someone’s name) is exempt from data protection law.
Q6: You mentioned about “online identifiers”. What are they?
They are also known as “internet identifiers” in some jurisdictions – to identify a natural person by associating information traces he or she leaves when operating online. Examples of online identifiers include (but not limited to) IP addresses, cookie identifiers, RFID (radio frequency identification) tags, social media account details, device fingerprints, pixel tags, MAC addresses, and advertising identifiers.
Q7: We do online video conferencing a lot. What should we keep in mind in running/taking part in a video conference?
The ICO recommends that you should: –
- Check and make use of privacy and security features at your end – e.g. restricting meeting access by using passwords, controlling who is allowed to share their screens, who are the host/co-hosts;
- Be vigilant on phishing risks – e.g. watch out and be careful what to click on chat features;
- Keep all your software up to date and;
- Be compliant with your organisation’s policy/ies.
Do be mindful that various personal data will be collected via the video conferencing tools you are on. They include the visual images (if the device camera is switched on), the audio/voice(s) (if the device microphone is on) and certain online identifiers. You should also be careful about confidentiality issues, especially if you are joining the video conference from home.
If you are recording a video conference, it is important you are transparent (i.e. open and honest) about it at the outset, and explain why you are recording it, what you do with the data, how long you keep the data and who controls/processes the data. You should seek consent.
Q8: What shall we do if we are uncertain whether the information we are collecting is personal data?
If you are uncertain whether the information you are collecting be deemed to be personal data, it would be prudent that you treat that information as personal data and to protect them as such – namely, you keep the information secure, protect it from inappropriate disclosure, be transparent about the facts and be compliant with the data protection legislation. Think about the risk that the information you are collecting may be personal data, as someone may be able to infer something about a particular individual with that information.
First, and foremost please ensure your policies are compliant with the UK GDPR.
If you would like to discuss anything in respect of your GDPR related issues and/or to have your policy and/or other documents reviewed/updated, please feel free to take a look at our GDPR services or contact me on mayumi.hawkes@cognitivelaw.co.uk