teissTalk: Infosec leaders' legal briefing - international data transfers

On 30 June, teissTalk host Geoff White was joined by Rocio de la Cruz, Partner, BPE Solicitors LLP; Simon Howarth, Data Protection Officer, On The Beach; Joanna Moczadlo, Legal Counsel, EMEA and APAC, The Hertz Corporation; Elisavet Dravalou, Lawyer, Synch.

Views on news

The new UK data framework will be designed to make the UK the best place for businesses and scientific institutes to undertake data-driven activity and will support the UK’s international commitments on the free flow of data. The new Accountability Documentation Framework is set to remove the obligation to elect a Data Protection Officer or to conduct Data Protection Impact Assessments (DPIA) and replace them with new regimes. Although the concept of making the accountability framework more flexible so businesses can tailor it to their needs is great, most of these entities operate in Europe too and therefore will be subject to GDPR anyway. Another way of looking at it is that the new framework is only nullifying what haven’t been observed anyway - few SMEs, for example, have been running DPIAs. Global companies that have appointed DPOs or have outsourced the function typically seek compliance with the rules of the strictest jurisdiction that they operate in. DPOs are going to be able to wear both an EU and a UK hat as long as there is no conflict of interest. The new framework may affect the UK adequacy decision for European data transfers too if it’s diverging from EU rules considerably. DPIAs in the UK have been from the start looked upon as a mechanism to generate a huge amount of useless information while the ICO’s DPIA framework is much more straightforward. In this respect, the new framework is expected to bring improvement.

Are data protection and privacy interchangeable?

During the pandemic, the use of personal data has soared and therefore regulators are now playing catch-up (new EU SCCs, UK IDTA). Right to data protection as described by Article 8 is a fundamental human right in the EU and the UK, where personal information needs to be processed in accordance with certain principles. Meanwhile, the right to privacy means that no one can interfere with an individual’s private sphere. While in the EU these two terms are often used interchangeably (GDPR is a data protection law and doesn’t mention privacy in its main body), outside the region individuals only have the right to privacy.  Encryption – whether 128-bit or 256-bit – and how encryption keys are held play a key role in data protection. Double pseudo anonymisation, where the original name after the first step is referred to as , for example, A, prevents anyone knowing the true identity of the individual.