Updating your data protection documentation following Brexit – IT Governance UK Blog
The UK data protection landscape is a lot more complex following Brexit. Many organisations are now subject to both the EU GDPR (General Data Protection Regulation) and the UK GDPR (General Data Protection).
The UK version was born out of the EU GDPR, so you might think that there are only cosmetic differences and that minor actions are required to adjust your documentation and compliance practices.
Unfortunately, it’s not that straightforward. If you haven’t done so already, you must ensure that your data protection policies and procedures account for both sets of requirements.
In this blog, we look at some of the things you must consider.
Do you deal with international organisations?
Because the UK is no longer part of the EU, many more businesses will be considered international organisations under the GDPR.
Although this may appear to be a surface-level change, it means that data transfers to some organisations need to be reviewed, as both pieces of legislation require additional measures to secure personal data transfers to international organisations.
Do you have appropriate security mechanisms for data transfers?
Both the EU GDPR and UK GDPR require organisations to have an appropriate level of data protection when conducting data transfers.
The UK quickly granted an adequacy decision regarding the EU, meaning data flows from the region were considered safe. As such, organisations didn’t need to take any additional steps.
Meanwhile, the European Commission has begun the process of granting the UK an adequacy decision, which means data transfers in the opposite direction can also be conducted.
However, if you’re transferring data into or out of any other region, you must produce SCCs (standard contractual clauses) or BCRs (binding corporate rules).
SCCs apply when organisations participate in two-way data sharing and for internal personal data transfers where the processing is straightforward.
BCRs apply strictly to multinationals, helping them make intra-organisational transfers of personal data across borders.
Is it clear which legislations your policies refer to?
Because there are variations in the requirements of the EU GDPR and UK GDPR, there are times when you must clarify which legislations your policies apply to.
In many circumstances, the requirements are the same and the differentiation won’t be necessary. However, you mustn’t get caught out. Look for any instance in which documentation for UK GDPR compliance could be misread as a violation of the EU GDPR or vice versa.
GDPR documentation made simple
Those looking for help documenting their data protection practices might be interested in our GDPR Toolkit.
This set of 80 customisable templates contains everything you need to achieve GDPR compliance – and identifies the differences between the EU and UK legislations.
The toolkit also contains:
- A Gap Analysis Tool that you can use to measure your overall compliance practices;
- Guidance on how to complete your documentation requirements, with templates on pseudonymisation, minimisation and encryption, to name a few;
- A roles and responsibilities matrix to help you understand who oversees certain tasks and function.
