• AU
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Data New Year's Resolutions

03 January 2020
DWF's Data Protection team set out your 10 Data New Year's Resolutions to help you deal with the ever-evolving world of data protection in 2020! 

Happy New Year!  

While participation in dry January is optional, compliance with ever-evolving data protection law isn't. Here are DWF's Data New Year's Resolutions for you to consider so that you can ensure that you meet your data protection obligations in 2020. In a privacy-friendly "layered" way, we've set out the resolution, and then below set out more detail as to the requirements and recommendations of each resolution!  

1. Review your privacy notices

2. Re-review your policies to check you're not over promising

3. Review your data sharing arrangements

4. Review and optimise your SAR process 

5. Check whether you need to pay the data protection fee 

6. Carry out appropriate ID checks before providing personal data 

7. Prepare for Brexit 

8. Conduct data essentials training for that lightbulb moment 

9. Ensure breaches are handled well and consider claims mitigation at the time 

10. Watch this space!  2020 is going to be an interesting data year!

Here is more detail of each resolution: 

1. Review your privacy notices and policies

If you updated your privacy notices and policies around May 2018 to comply with GDPR, it is worth reviewing them in the light of guidance issued by the ICO and EDPB (Information Commissioner's Office and European Data Protection Board) since then.

Look at how and when you present them to your customers.  Do you use a "layered" approach to make them easy to navigate?  Do you make good use of pop-ups / text areas to present "just in time" information? If you process special category data (e.g. data about health, race or sexual orientation), the ICO has recently updated its guidance on the lawful bases you can rely on to justify this, so you may need to update your notices to reflect these (as well as the operational practices behind them). If you process children's personal data, you need to review your notices and how you share them with children in the light of the Age Appropriate Design Code of Practice, which the ICO has just submitted to the government.

Contact us to discuss how we can update your privacy notice and help you to structure your customer journey to present it in a user-friendly, but legally compliant, way.

2. Re-review your policies to check you're not over-promising 

We have been consulted by some clients who prepared for GDPR by updating their data protection policies in line with what they believed to be best practice or indeed their own operational protocols.  It is important that you are able to comply with your own policies and that they are compliant, as well as accurately reflecting your operational practice – as that is what you will be judged by if they are ever scrutinised.  We can help you to revise your policies appropriately. This needs to be done with care and sensitivity, which our experienced data protection specialists can offer.

Contact us to find out how we can support you with the process of reviewing and updating your policies.

3. Review your data sharing arrangements

The ICO has recently issued an updated draft Data Sharing Code of Practice for consultation.  This has been revised to cover various changes introduced by the GDPR, including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities.

Contact us to discuss how we can help to review and update your data sharing arrangements, including drafting any necessary data sharing agreements, reviewing your privacy notices to check that they are consistent with your sharing activities and ensuring that all necessary safeguards for international transfers are in place.

4. Review and optimise your SAR process

The ICO has also issued updated draft guidance on dealing with SARs (subject access requests).  This guidance includes the special rules on certain categories of personal data, how to deal with requests involving the personal data of other people and how to apply the exemptions.

Contact us to discuss how we can help you to optimise your SAR process, including advice on the relevant exemptions and document redaction.

5. Check whether you need to pay the data protection fee

The ICO has recently launched a campaign to contact all companies to remind them of their legal responsibility to pay the data protection fee.  Note that this is a requirement under UK data protection law, not the GDPR.  Most businesses which process personal data will have to pay the fee, unless an exemption applies.  The fee ranges between £40 and £2,900, depending on the size of the organisation.  While fines for non-payment are modest (150% of the applicable fee), failure to pay could result in bad publicity and reputational damage.

Clients have asked whether payment of the fee now will bring them to the ICO's attention, resulting in increased scrutiny.  Over 600,000 organisations have registered to pay it, so payment is very unlikely to draw attention to your organisation.  If you are concerned about your level of compliance, paying the fee is a step in the right direction, and then we can help you prioritise your compliance steps.

Contact us for advice on whether you need to pay the data protection fee, and prioritising your data protection compliance steps.

6. Carry out appropriate ID checks before providing personal data

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has recently fined a telecoms provider €9,550,000 for failing to take sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain customer information, in breach of Article 32 of the GDPR.  People calling the telco's customer service helpline could obtain extensive personal data about a customer simply by providing the customer's name and date of birth.  While businesses are understandably keen to avoid excessive ID checks which may annoy customers, these checks must be sufficient to prevent unauthorised access, and you should only provide details about people which are appropriate.

Contact us for advice on the ID requirements of GDPR and how to implement them in practice.

7. Prepare for Brexit

Given the Conservative majority in the UK's December 2019 election, it appears likely that the UK will leave the EU on 31 January 2020 on the basis of the New Withdrawal Agreement and the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations (the "Regulations") will come into effect.

The Regulations provide for a transitional period until 31 December 2020, so data transfers from the EEA to the UK can continue as normal until then. You will need to prepare for the end of that transitional period by making sure that safeguards are in place for the future transfer of personal data from the EEA to the UK. This includes situations where you transfer the data to a processor in the EEA, who then transfers it back to you. The situation is complicated by the fact that it is by no means certain that the EU will grant an "adequacy decision" to allow data to flow from the EEA to the UK without other safeguards in place, and also that we are awaiting the decision of the Court of Justice of the EU on whether standard contractual clauses (the most frequently used safeguard) remain a valid safeguard for such transfers. 

However, the Advocate General has delivered an opinion (which the Court is likely to follow) that the clauses are valid, although he expressed concerns about the EU-US Privacy Shield, which is currently a safeguard for the transfer of personal to US organisations which have self-certified under the scheme. You also need to identify whether your organisation needs an EU representative and appoint one if necessary.

The Regulations create a "UK GDPR" and amend the Data Protection Act 2018.  The key practical points are:

  • You will continue to be able to transfer personal data from the UK to EEA countries;
  • You will continue to be able to transfer personal data to countries with an "adequacy decision" and US countries who have self-certified under the Privacy Shield, although the UK government has the ability to overturn this – note also that EEA entities sending personal data to UK organisations will need to check they can continue to do so (see above);
  • If your organisation already has Binding Corporate Rules authorised, these will continue to be valid; and
  • EU controllers who process the personal data of UK citizens will need to appoint a representative in the UK.

Contact us to discuss your international data transfers and for up-to-date advice on the most appropriate safeguards for your organisation to put in place.

8. Conduct data essentials training for that lightbulb moment 

We often find that fundamental principles are missed when dealing with data breaches.  Human error, rushing and stress account for a significant proportion of data breaches.  As with the New Year's Honours List spreadsheet, it is often attachments or emails and attachments that are sent to the wrong person, or contain too much detail.  

We can help you by providing focused and memorable data essentials training for your teams to ensure they remember data protection before doing something, and that if there is a breach, they know how to handle it. 

9. Ensure breaches are handled well and consider claims mitigation at the time 

We've seen a range of data breaches and incidents where initial breach reports to data subjects have overplayed the severity of them.  Clearly, it is important that data subjects are aware when there are material risks to them, but conversely if you exaggerate the risks in a breach report to data subjects, it is likely you will receive these back by way of one of the increasing number of data breach compensation claims, and be asked to pay compensation based on the risks you identified (even if they have not materialised).  

Contact us for the best way to handle data breaches and data breach compensation claims. 

10. Watch this space!  2020 is going to be an interesting data year! 

There are lots of developments to watch for this year, including increasing regulation, the application of the Accountability principle (i.e. showing and recording how you comply, not just stating you do so), the Schrems decision regarding the model clauses and much more. Tell us what kind of updates you would like about data protection matters! 

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.
Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected 

Functional cookies


These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking Cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing Cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.