Brexit necessitates a review of data mapping and cross-border transfers.  In the event of a no deal Brexit, the government intends that transfers from the UK to the European Economic Area will be unaffected, but the reverse will not be true as it is unlikely that the EU will have made an adequacy finding in relation to the UK, even though equivalent legislation to the General Data Protection Regulation (GDPR) will be in force going forwards.  Guidance has been published by the Information Commissioner’s Office and the Law Society.  See for links.

The European Commission has reported that there have been more than 95,000 complaints of data breaches across Europe under GDPR.

A €400,000 fine imposed on a hospital under GDPR by the Portuguese supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), may raise issues for law firms.  This arose from allowing indiscriminate and excessive numbers of users to have access to patient records.  Law firms commonly allow firmwide access to client data, which may include special category data, for example, in health and employment records.  The time is ripe to review that approach.

The European Commission has published its second review of the EU-US Privacy Shield. The Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States, though some steps have only recently been implemented and developments need to be monitored.  The US Department of Commerce has published guidance on its Frequently Asked Questions page on the application of the Privacy Shield to data transfers from the UK post-Brexit.

See also the next item for GDPR issues.

‹ Back to Publications