The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

In this short video, our Director of Learning and Content takes us through what the potential changes are and how they might affect the way we process data.

Watch now

Here’s what you need to know about the UK’s plans to radically alter GDPR

The UK government’s consultation on reforming data protection, launched on 9 September, sets out a radically different framework for data protection than GDPR. From re-orientating the Information Commissioner’s Office to new ways for businesses to process data, these far-reaching reforms are set to have a significant impact on business.

Although the plans have been announced in consultation and not every proposal may make it into law, the direction of travel has been clear for some time. The UK plans to make it much easier for most businesses to use data, and get the most from data, while still ensuring strong levels of protection.

“The government wants to remove unnecessary barriers to responsible data use. A small hairdressing business should not have the same data protection processes as a multimillion-pound tech firm. Our reforms would move away from the “one-size-fits-all” approach and allow organisations to demonstrate compliance in ways more appropriate to their circumstances, while still protecting citizens’ personal data to a high standard.” Department for Culture, Media and Sport.

But European Commission warns adequacy could be revoked ‘immediately’

The UK has adequate standards of data protection, the EU Commission ruled yesterday, allowing businesses to breathe a sigh of relief. This decision means that data can continue to flow between the UK and EU, despite the UK now being a ‘third country’. Several other countries including Uruguay, Canada and New Zealand are considered to have adequate standards of data protection by the EU. Without an adequacy decision, data flows between the UK and EU would have been severely disrupted, requiring a wholesale review of clauses and contracts to ensure data could be transferred as it is now between the EU and third countries such as South Africa, India and China.

While the adequacy decision has been adopted for four years, Didier Reynders, the European commissioner in charge of data protection, said the adequacy decision could be withdrawn “immediately” if the commission had serious concerns. 

Your questions answered on the international data transfer component of GDPR

On Friday, 4 June 2021, the European Commission published the long-awaited Standard Contractual Clauses (SCCs) to help European companies transfer data outside of the EEA.

Organisations can carry on using the current SCCs for a further 3 months and 20 days, until 24 September, 2021. Then there will be 18 months and 20 days to get the new SCCs in place. This means that GDPR organisations must ensure that all vendor contracts and intra-group agreements contain the new SCCs by 24 December, 2022.

On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and what we can expect in the next 12 months.

During the webinar, we shared a conversation between our Director of Learning and Content Nick Henderson and our Data Protection Officer Ruth Mittelmann Cohen in which Ruth shared the inside scoop regarding the ins and outs of being a DPO. They discussed a DPO’s responsibilities, the challenges of being a DPO, as well as best practice with regard to GDPR within an organisation. In this blog, we’ll share with you some of the insights from that conversation and see what we can learn from it about GDPR best practice within organisations.

GDPR – Three years on: Watch the full webinar here

Since the EU’s General Data Protection Regulation (GDPR) came into force three years ago, there have been fines reaching a total of over €280 million, the UK left the EU and the ICO has announced that there will be a new Commissioner from October.

The ICO (Information Commissioner’s Office) is the UK’s independent authority set up to uphold information rights. The organisation aims to promote openness by public bodies and data privacy for individuals. Part of their role is to help ensure organisations meet their information rights obligations and take action when they don’t.

What can we learn from some of the GDPR offences committed and ICO penalties levied over the past few years? How can we avoid becoming the next casualty? Let’s look at a few examples and break them down. 

Ticketmaster 

What happened?

Ticketmaster, the popular online ticket purchasing platform, was fined £1.25 million in November 2020 for failing to keep its customers’ personal data secure. The data breach was caused by a cyber-attack on a chat-bot installed on its online payment page. The attack exposed names, payment card numbers, expiry dates and CVV numbers of up to 9.4 million of Ticketmaster’s customers across Europe and the UK.