A post transition Brexit world is expected to be different, and one such concern for businesses is the future of GDPR. The UK vs EU GDPR framework is essentially the same today, but will be regulated independently after the transition period. Both these laws may apply to businesses collaborating across UK and EU, and we have no visibility into what may or may not change. This raises an important question “What Data Protection changes should we factor?”
As a starting point, we need to factor considerations for ‘Legible Data Transfers’ and below are few guidelines from the Information Commissioner’s Office (ICO):
- Keep Data Flowing
- Guidance on International Data Transfers
On the other hand we need to consider potential ‘Data Loss Incidents’ that could occur through either of the below:
1) People with access (ie. Innocent accidents or malicious activity)
2) A system security vulnerability exploited by external attacks
The evolution of GDPR is based on ensuring that a reasonable level of due diligence is performed towards Data Protection, and this must continue being our focus. One key aspect is building collateral, ie. Every step towards data protection must be documented. This is the best way to articulate due diligence, and below are few examples:
- Data Protection Impact Assessments (DPIA)
- Risk, Security & Vulnerability assessments
- Periodic Access / Entitlement review reports
- Assessment interviews with various people handling data
- Data protection strategies being implemented
In summary, our focus must remain around facilitating ‘Legible Data Transfers’ within guidelines, and enforcing ‘Data Loss Prevention/Protection’ strategies. Most importantly, we must ensure that we have sufficient collateral to articulate our due diligence.
Published: 20th November, 2020
Author: Denis Kattithara
