Businesses have faced uniquely challenging times throughout the year. However, in 2021 the latest business challenge might be a little bit more familiar. Yes, compliance issues are set to rear their ugly head again in the new year.
Increasing regulations, a new normal post-Covid-19 and a potential no-deal Brexit are all on the horizon. We outline the four key privacy challenges your business will face going into 2021, and how you can begin to overcome them so they’re not caught out later down the line.
So here are the 4 Compliance challenges your business faces in 2021.
Issues with Privacy Shield and data transfer to America
The Court of Justice of the European Union (CJEU) ruled that US surveillance laws did not offer adequate protection for EU personal data. More information can be found here. This ruling will impact any business that transfer personal data not only to the US – but also outside of the European Union.
This means businesses need to assess how their data is treated by countries outside of the European Economic Area (EEA) or where there are issues to ensure adequate protections are in place.
Businesses should now review all data transfers, understanding where the Privacy Shield is relied upon, and identify third countries to which data is being transferred. Focus heavily on data that is transferred to the US after this recent judgement.
DSARs are rising
With redundancies and employees on the furlough scheme because of Covid-19 has meant that there is a huge increase in data subject access requests (DSARs).
According to a new study conducted by eCase data protection officers (DPOs) employed in public bodies and government departments have already claimed that they are being overwhelmed by data subjects demanding to know what data is held on them.
The number of DSARs has doubled in the two years since the GDPR came into law. Most businesses will not have been set up for this rush of requests so making sure your business has its record of processing activities and retention policies well defined and actionable now, before any potential rush of requests hits.
The whole situation is muddied further by the unique level of turnover of staff due to the Covid-19 pandemic. Disgruntled ex-employees have the potential to cause damage as they are aware their own DSAR could cause issues.
Brexit and data transfers
January 2021 marks the UK's full exit from the European Union. There are major factors to consider with how your business deals with the various scenarios that come with Brexit.
Businesses need to consider the flow of your personal data and understand where transfers of personal data are happening. Currently, personal data can flow freely between the UK, EU and EEA without having appropriate safeguards in place – such as SCCs.
The UK government has stated that from 1 January 2021 data transfers will not be restricted and can continue to flow from the UK to EEA. So any business that sends data from the UK to the EEA will still be able to do so. Whether that will remain the case is unknown.
At the end of the transition period, the UK will be considered as a third country – which means data transfers from the EEA to the UK could well be restricted and businesses will need to rely upon an appropriate safeguard for data transfers.
Your business should now be identifying whether data transfers are taking place and put in place safeguards in place to protect personal data. They should also be reviewing all their privacy information and documentation so they can identify any minor changes that may need to be made at the end of the transition period.
Data breaches are increasing
The rush to mass home working meant many businesses will have been forced to adopt new working practices quicker than usual. In many cases, many had no choice but to place themselves outside of their risk parameters.
Businesses may have had to relax their cybersecurity to facilitate home working and may have had to introduce new technology without the usual rigorous testing and assessment of options.
There has been a huge rise in the number of data breaches over the past few months where cybercriminals have targeted these newfound vulnerabilities. To maintain your level of compliance you should carry out risk assessments and policy and process gap analyses to identify where risks have been introduced.
Research shows it takes on average 206 days to identify a data breach and there is evidence that cybercriminals are testing businesses new processes.
It is very likely that some businesses have been successfully attacked and don’t know it yet - so businesses must assess what damage has been done as soon as they identify and close a vulnerability or gap.
After dealing with a year of uncertainty and unexpected challenges, in 2021 we might well understand the challenges ahead of us a lot better. As you can see from these 4 key areas, compliance is going to continue to be a big challenge next year.
If you feel your business needs help with compliance issues around your technology or how to store your data we can help. For more information contact us here, email firstname.lastname@example.org, or call us 0n 01634 52 52 52.