GDPR after BREXIT
On 24 December 2020, the UK and the EU agreed the terms of a Brexit deal which includes an interim solution to the issue of personal data transfers from the EU to the UK.
This allows organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to hopefully approve an adequacy decision for the UK.
During the extension period, transfers of personal data from the EU (and the EEA) to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020). However:
- The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
- If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.
The Agreement took effect provisionally in EU law on 1 January 2021, pending ratification by the EU Parliament in early 2021. The UK Parliament has ratified the Agreement.
So, for now, there is no change to the way that we handle data.
What is GDPR?
- The General Data Protection Regulation came into force on May 25th 2018
- It is the new legal framework for dealing with personal data of EU residents
- All those who process personal data of EU residents will be required to demonstrate that they comply with GDPR
- As we deal with data as part of our business, particularly health data (sensitive) and sometimes patients (vulnerable) it is especially important for KQH to understand and comply fully with GDPR
- GDPR applies regardless of which country you are based in – Anyone who is collecting, storing and processing the personal data of EU residents is required to comply
- There is an expanded definition of personal data – anything that contributes or links to identifying an individual will be included
- Greater liability – for both Data Controllers and Data Processors. Higher fines for non-compliance – up to 4% of global turnover of €20 million
- Risk based accountability – Contracts, Privacy Notices, Risk Assessment and Record Keeping need to be updated to comply
- New and strengthened individual rights – including the Right of Access, To Be Forgotten and Data Portability. We have to promote these rights to the individuals on whom we hold data
How KQH has ensured compliance
- Completed full audit of our data processing
- Actioned amendments to procedures, forms and contracts as needed to mitigate / reduce risk
- Embedded privacy by design and default into all our projects
- Appointed a DPO (Data Protection Officer) whose role is to ensure data protection compliance
- Trained all directors and staff on implications of GDPR
- Registered with the ICO, who will be our lead data protection supervisory authority
Privacy Notice for those helping KeyQuest Health with market research
Your Global Qualitative Fieldwork Team