UK Adequacy Decision: European Commission decides that the UK has an adequate level of data protection
Today nearly every part of our life can be digitised, tracked and logged: every picture, every journey, every purchase, even every heartbeat. More and more of our personal information is collected, stored and traded by companies and governments.
The GDPR oversees personal data protection like name, contact details, computer location, and sexual orientation. And organisations have to prove they have a lawful reason for holding that kind of data and, even more importantly, show that they are keeping it safe.
It’s not surprising that businesses are nervous about GDPR rules because the potential penalties are massive.
This piece of legislation is supposed to empower the people who give companies their data, even you.
1. So, what’s the Adequacy Decision all about
The UK government says it will bring EU regulation into British law, regardless of the Brexit context.
The European Commission adopted on the 29 of June two adequacy decisions for the United Kingdom, one under the general data protection regulation and one under the law enforcement directive. In their press release from the 29th of June, the Commission states that:
“Personal data can now flow freely from the EU to the UK. It benefits from an essentially equivalent level of protection to that guaranteed under EU law. The UK’s data protection systemise based on the same rules that apply when the UK was a member state of the EU. Both adequacy findings, of course, include strong safeguards such as Sunset Clause for the first time in an adequacy decision which limits the duration of the adequacy to four years.”
This doesn’t mean, however, that nothing will happen during those four years, and the UK will have a green light. On the contrary, there will be constant revisions on whether the UK legislation complies with the European data protection rules. Thus, we must pay and keep an eye over what is changing or not in the UK legal system in all these four years.
Even Facebook, the giant social media platform, has already said they will apply the EU rules to all of their users worldwide. Mark Zuckerberg claimed that the social media platform needed to regain users' trust after the Cambridge Analytica.
Information about data adequacy decisions can also be found on the UK’s government website. In addition, we can get a glimpse of their plans regarding the transfer of data protection internationally.
“The UK, which now operates a fully independent data policy, has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc. The government plans to promote the free flow of personal data globally and across borders, including through ambitious new trade deals and new data adequacy agreements with some of the fastest-growing economies while ensuring people’s data continues to be protected to a high standard.”
Let’s consider owning a business in Romania, an EU member state that involves relations with clients in the United Kingdom.
What is the implication of such a decision for your business?
This decision gives you the freedom to collect and store the personal data of British citizens within the limits of the law for the next four years. And the other way round.
2. More about how to avoid fines when it comes to data protection
Collect your data and store it in an organised way (that means any bit of information that could use to identify a person, such as a phone number, IP address, photos of them, etc.)
Make sure that data is secured (e.g. use robust antivirus systems on all of your devices)
Don’t keep data unnecessarily (if you don’t know what you will do with it, don’t keep it!)
Write a transparent, fair processing notice (you’ll need a document that explains clearly what data you are going to be taking from people and how you’re going to use it)
Have a process for deleting data (that’s part of a new law that empower the customer’s and individual’s rights about their data)
Try a layered opt-in form (this will enable users to have easy access to understand their information and how it’s going to be used, preferably designed as a bottom)
Make it easy to opt-out (for example, if you are using emails, make sure that people can unsubscribe, same things like text messages and call services)
Make all your team aware of the GDPR laws (train all of your employees and appoint someone in your team to be your data protection officer)
GDPR law is not an easy task! All these changes in the world can make it difficult even for those who are experienced.
Avoid feeling overwhelmed by this situation by checking the Avoteca legal marketplace, where GDPR specialists are constantly ready to provide you with the legal consultancy you need!