2020 data protection planner

Dates for your diary


This Monday was the second anniversary of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) coming into force.

The third year of these historic laws is set to be even more eventful than the first two. The combination of Covid-19, the UK’s exit from the EU, some major case law developments and continued enforcement action mean this will continue to be a fascinating and fast evolving area of the law.

Timeline

  • Covid-19 projects
  • Fines for British Airways and Marriott?

 

  • 16 July 2020 – CJEU judgment handed down in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems (the so-called “Schrems II” case)
  • Return to the workplace for many office-based employees
  • Expected surge in data subject access requests (to October)
  • Final preparations for changes regarding international data transfers
  • 31 December 2020 – EU-UK transition period ends

May and June 2020

Most organisations adapted quickly and – for the most part – well to enable large-scale working from home when the lockdown started in March. However, we are still advising many clients on the privacy implications of projects initiated in response to the pandemic. This includes advising on:

  • sharing personal data with new third parties (e.g. in multi-tenanted premises, or sharing with health authorities);
  • installing health screening devices (e.g. to check employees’ temperatures at the start of each day); and
  • understanding the privacy risks when deploying new technology solutions to support increased flexible working (e.g. completing Data Protection Impact Assessments).

Projects of this nature are likely to continue throughout the next 6 to 8 weeks.

The optimistic reader might also expect to hear news of the ICO’s final determination on the fines levied against British Airways (BA) and Marriott for their headline-grabbing data breaches in 2018.

In July 2019, the ICO issued a notice of its intention to fine BA and Marriott £183million and £99million respectively. However, it has twice extended (by agreement with the companies) the deadline for it to confirm the fines and this is likely to happen again as a result of Covid-19, perhaps until late summer.

It also appears likely that the level of the fines will be reduced as a result of the pandemic, given the extraordinary impact it has had on the aviation and tourism industries in particular. Enforcement action taken by the ICO must be proportionate and dissuasive. Given the major reduction in revenue for both BA and Marriott as a result of Covid-19, the ICO may consider that the levels of the fines it deemed appropriate in July 2019 are now disproportionately high.

The ICO has confirmed on a number of occasions in recent weeks that while the obligations under the GDPR and DPA remain in force (and so the maximum fines remain available, especially where there are aggravating circumstances), the ICO will nonetheless adjust its approach to enforcement action during the pandemic period. Specifically, the ICO will act “in an empathetic and pragmatic way that reflects the impact of coronavirus”.

Organisations the world over will watch with interest as the ICO determines what enforcement action to take in response to the data breach recently announced by easyJet, in which the data of nine million customers was hacked. This is sure to be a real test of the extent to which the ICO’s approach has been adjusted.

Schrems II

Data protection case law does not come much bigger than Schrems II. The Court of Justice of the European Union (CJEU) will issue its judgment on the legality of the European Commission’s standard contractual clauses (SCCs) for transfers of personal data to the USA. If the court decides that the SCCs are invalid, then thousands of organisations that currently rely on them will need to implement new safeguards to govern the transfer of personal data to the USA (and potentially other countries).

The judgment is also likely to touch on the validity of the EU-US Privacy Shield adequacy decision, and the role of data protection supervisory authorities in relation to international transfers. Again, any adverse finding (for example that the Privacy Shield is invalid) would have a similarly disruptive impact on any organisations in Europe that transfer personal data to the USA.

The Advocate General issued his Opinion on this case in December 2019 (see our earlier update, here). While the CJEU often follows the path set by the Advocate General, given the major importance of the issues being considered in this case, it is without a doubt the must-watch case of the summer.

July and August 2020 – return to work

While lots of employees are embracing the benefits of working from home, many do not have the ability to do so, given the nature of their work, or are looking forward to returning to the office.

Whenever employers are able to welcome their staff back into the workplace, there are bound to be numerous privacy and security issues to consider. These will range from technical challenges (e.g. ensuring network security if moving from a static desk model to hot-desking, and deploying new user devices and infrastructure to support the changes in working practices) to matters concerning the health and wellbeing of staff.

As well as data protection challenges (e.g. do employees need to report on their Covid-19 status if there is a second wave of the virus?), there will also be employment law and health and safety issues to consider. All in all, the mass return to work in the months ahead is likely to be just as impactful on employers as the rapid change in working practices brought about by the start of lockdown.

July to October 2020 – DSAR surge

Many data protection officers and privacy practitioners are anticipating a major surge in the number of data subject access requests (DSARs) in the late summer/early autumn (and possibly for some months afterwards).

This will in large part be linked to the job retention/furlough scheme coming to an end, as employers need to make difficult decisions regarding potential redundancies. Where employment claims arise, DSARs are quick to follow. Find out more about handling DSARs in our podcast.

It is also likely that claims management companies (CMCs) will align themselves to aggrieved groups of employees. This could mean an increase in the unwelcome phenomenon of bulk DSARs, where a CMC issues a DSAR to an employer on behalf of tens if not hundreds of individuals on the same day.

Managing DSARs on this scale requires a well-resourced, well-prepared team who are ideally supported by technology solutions to enable efficient processing of the requests.

Organisations would be well advised to design their contingency plans now, so that they can respond to a large increase in activity. Our view is that those plans are extremely likely to be called upon.

October to December 2020 – international data transfers

As the year draws to a close, and we reach the end of the Brexit transition period, data protection teams across the UK and Europe will inevitably turn their attentions to international data transfers.

Organisations should already have completed data mapping exercises to determine if their businesses rely on the transfer of personal data between the EU and the UK, and have given some thought to the approach they will take to ensure that such transfers can continue after 31 December.

In the absence of any agreement with the EU to the contrary, when the transition period ends the UK will become a “third country” for GDPR purposes. This means that organisations based in the EU will need to ensure that they implement appropriate safeguards to enable the lawful transfer of data from the EU to the UK – the UK will no longer automatically be considered as “adequate” by the EU.

In practice, this is likely to mean that many organisations will need to implement the European Commission’s SCCs, to meet the appropriate safeguards test. However, it is difficult for businesses to implement solutions for their international data transfers at this stage, for two principal reasons:

  1. It is still difficult to predict what agreement – if any – will be reached between the UK and the EU as to transfers of data. Public statements on both sides in recent weeks suggest that an agreement is still a long way off, and the UK has repeatedly stressed that it does not intend to seek an extension to the transition period. This means businesses do not know currently what the position will be come 1 January 2021.

     

  2. The SCCs remain subject to the scrutiny of the CJEU in the Schrems II case referred to above. If the CJEU decides the clauses are invalid, there will be a significant impact for thousands of businesses, including those that already rely on the SCCs and those that would seek to do so following the transition period.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions


Related insights & events

View all

Hot topics

Related services