Data Transfers from the European Union to the United Kingdom Will Continue as EU Commission Assesses Adequacy during Six Month Transition Period

The European Commission now has an additional six months to complete its adequacy assessment of the UK’s data protection laws, thanks to an agreement in principle reached by the European Union and the United Kingdom regarding the EU-UK Trade and Cooperation Agreement (“the Agreement”). As a result, companies can – at least for now – continue to move data from the EU to the UK without putting in place additional safeguards. The UK’s transition out of the EU ended December 31, 2020, and as of January 1, 2021 it is treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”). Article 45 of…

READ MORE

Not Just for Large Multinationals: U.K. Information Commissioner’s Office and Article 29 Working Party Issue GDPR Guidance for Small Businesses

Smaller companies take note – the U.K. Information Commissioner’s Office (ICO) and the Article 29 Working Party have highlighted that all companies must comply with the General Data Protection Regulation (GDPR) regardless of size, and recently issued special guidance for smaller businesses. The GDPR, a law that places new obligations on organizations that collect and process data about European residents, comes into effect May 25, 2018. In a recently published set of FAQs, the ICO addresses key issues raised by the GDPR in the context of small businesses, including criteria for imposition of monetary sanctions; security; determining whether your organization is a processor or controller under the terms…

READ MORE

UK Authority Warns Small Companies: “Data Protection Laws Apply to You” Fining an SME £60,000 for Failing To Take Basic Steps

The UK Information Commissioner’s Office sent a clear signal last month that it is paying close attention to the data protection measures taken by small and medium sized companies. In a statement published June 27, 2017 titled “Warning to SMEs as firm hit by cyber attack fined £60,000” (i.e. about $80,000 U.S.), the ICO announced an action against Boomerang Video, a small Internet company based in Berkshire, England, for failure to take appropriate steps to secure customer information. ICO enforcement manager, Anne Poole said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.  “If a company is subject to…

READ MORE