Recent developments

International data transfers after Brexit

In June 2021, the European Commission adopted two adequacy decisions for the UK – one under the EU GDPR (General Data Protection Regulation) and the other under the Law Enforcement Directive.

This means that personal data can continue to be transferred from the EEA to the UK without the need for organisations to use SCCs (standard contractual clauses) or another means of ensuring that appropriate safeguards apply, as required by Article 45 of the GDPR.

Under the Commission’s decision, the EU will deem the UK DPA (Data Protection Act) 2018 and UK GDPR adequate for four years, after which the adequacy findings will be renewed only if the UK continues to afford EU residents’ personal data an adequate level of protection in line with the EU GDPR.

If UK data protection law deviates from the EU GDPR to a significant extent during those four years, the Commission has the option to withdraw the decision.

In practical terms, this means you shouldn’t need to worry about processing EU residents’ personal data in the UK if you are compliant with the UK GDPR.

However, the GDPR still requires organisations to implement processes that ensure that third-party data processors can demonstrate compliance with their legal and contractual obligations – wherever they are located.

If you need help with third-party supplier assurance, DQM can run your assurance programme for you.

Learn more about our third-party assurance services  

ICO report into data broking

Does the way you buy or sell data need to be updated?

The ICO’s long-awaited report into the data broking industry found issues with transparency and process limitation, and has prompted data buyers to strengthen their due diligence requirements.

Data brokers perform a vital service in matching businesses with prospective purchasers, but individuals who are uncomfortable with how their data is used make complaints, not purchases. Data protection regulations challenge data brokers and marketers to work together in a much more strategic way. The goal is, very clearly, to reduce the complaints and increase the purchases.

DQM GRC was originally founded to support data brokers and data owners. We audit around 80% of the UK market and many of our consultants are specialists in both privacy and marketing.

Download our free guide that helps data brokers understand how the ICO’s ruling affects them.  

Privacy Shield invalidated

Do you need to review the way you transfer data to the US?

The European Court of Justice recently invalidated the Privacy Shield framework as a mechanism for transferring data between the EU and the US, in the ‘Schrems II’ decision.

The Swiss-US Privacy Shield was invalidated shortly afterwards.

While the Privacy Shield remains a useful way of demonstrating that many data protection requirements will be met by the US data recipient, organisations that previously relied on it will now need to find a new basis for transferring data and implement the requirements associated with it.