• 12 Jul 2023
• •
• 3 min read

GDPR turns 5: should you be reviewing your data protection documents and policies?

The EU GDPR recently had its fifth anniversary, having come into effect in May 2018. In the run up to May 2018, UK organisations rushed to put in place policies and procedures to try and comply with the EU GDPR and avoid the huge fines which we had all been warned about.

As the dust settled, and enhanced data protection law became the norm, organisations needed to ensure – as they still do today – that those 2018 policies and procedures were kept under regular review and that they evolved with the organisation, to any changes to the types of personal data collected and the use of that data.

It is important to remember that compliance with data protection law is not a tick box exercise which can be documented once and then forgotten about. It is essential to regularly review your compliance. For example, if your organisation:

1. is looking to launch a new online service aimed at children when previously you only offered services aimed at adults. In GDPR terms this is a fundamental change as the GDPR requires particular care to be taken when an organisation collects and processes personal data from, and about, children. You will need to consider obtaining parental consent for the processing of personal data of children under 13, as well as how transparency information can be presented to children in a way in which they understand.
2. previously operated a physical retail outlet but is launching an online shop which means that personal data will be collected online via a website. In this case you will need a website privacy notice and cookie policy, and you will also need to ensure you have GDPR compliant data processing agreements in place with the organisations you use to operate the website. 
3. is considering changing the way it uses customer personal data. You will need to consider whether you are still a processor of that personal data (as was thought in 2018) or whether you are now actually a controller if you use that personal data for your own purposes.
4. is acquiring other businesses and creating a group structure. You will need to consider any intra-group transfers of personal data including whether you need a data sharing agreement between the group companies and whether you need mechanisms in place to legitimise any international transfers of personal data (if, for example, one group company is handling payroll for the whole group and that company is located outside the EEA).

As if that wasn’t enough to manage, we then need to take account of the constantly evolving nature of data protection law. Areas which need reviewing include:

1. Any references in policies, procedures or agreements to the EU GDPR as opposed to the UK GDPR, which applies in the UK following Brexit. 
2. Data Processing agreements dealing with international transfers of personal data that refer to transfers outside of the EU/EEA rather than the UK or making reference to the Privacy Shield which became invalid some years ago.
3. Data Processing agreements referring to the old 2010 EU standard contractual clauses being used to safeguard personal data being transferred outside of the UK to a country which doesn’t have adequacy. The 2010 clauses have now been replaced with 2021 clauses (and in the UK must be used with the UK Addendum produced by the Information Commissioner’s Office (ICO)) or the UK International Transfer Agreement (IDTA).
4. How the organisation assesses whether it can transfer personal data from the UK to a country which doesn’t have an adequacy decision, for example, India or the USA. Following the Schrems II judgment in 2020 there is greater focus on ensuring personal data is as protected in the hands of the recipient located abroad as when it is in the UK. In the UK, organisations are required to carry out a transfer risk assessment to understand if the transfer can go ahead and what measures need to be put in place in order to protect the data. 
5. The content of privacy notices. This was put under the spotlight in the well-publicised August 2021 WhatsApp decision in which WhatsApp was fined €225M for EU GDPR infringements. The Irish data protection regulator’s decision had important implications for the drafting of privacy notices under the EU GDPR regime in that it requires controllers to provide far greater detail in a number of areas, including in relation to transfers of personal data outside the EEA, the purpose and legal basis for processing personal data and the retention of personal data. Whilst the WhatsApp decision is not binding on the ICO or English courts, the ICO and English courts may adopt a similar approach under the UK GDPR when faced with an alleged infringement. It is important therefore for organisations to keep up to date with the ICO’s guidance on what is required in a privacy notice.

Finally, organisations need to make sure they are renewing their data protection fee with the ICO annually and paying the correct fee.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].