Data Protection Adequacy Decision: a briefing from our infosec expert30.06.21
Information Security Director
On 28th June 2021 the UK was acknowledged by the European Union to have appropriate data protection legislation in place to protect the rights and freedoms of data subjects’ personal information and thus joins the list of countries outside the EU with a data protection adequacy decision.
Prior to confirming the adequacy decision on 28th June, the EU had granted the UK a grace period of six months following Brexit to allow UK businesses the right to continue the free flow of data in and out of the European Economic Area (EEA). Governmental negotiations took place to agree various trade and legislation requirements following the departure of the UK from the EU and these included the transfer of data between the UK and countries within the EEA. For companies like Benefex, this meant that the processing of employees’ personal data throughout the European Economic Area could continue (when instructed to do so by the data controller of course) without the need for additional safeguards being required (such as the EU’s Standard Contractual Clauses or “SCCs”).
The EU’s confirmation of the UK’s adequacy effectively continues this arrangement for a further four years, although it is important to note that the EU’s review is ongoing and they can decide to withdraw it sooner (like they did with the US Privacy Shield following the Schrems II case in 2020).
Without a decision of adequacy, organisations with employees based in the EEA would need additional data protection agreements in place with their employee benefits platform providers or brokers. In turn, benefits technology providers and benefits brokers would need additional agreements with the individual benefits providers and other technology providers in their supply chain. The measures would commonly take the form of the EU’s SCCs and these have also just been updated by the EU.
What’s changed as a result of this adequacy decision?
Well essentially…nothing! Your due diligence in selecting workplace technology and benefit brokers should still include checking that your suppliers put your employees’ data protection and security needs first and meet all applicable data protection legislation. At a secondary level you should ensure that providers working with third-party benefits companies and other providers in their supply chain maintain a strict regime of appropriate due diligence to ensure they all meet adequate security and data protection standards. At Benefex we always consider:
• The security framework used by the supplier, (for example, are they ISO 27001 certified, SOC attested or other?)
• The data protection legislation applicable to the employees and the supply chain (for example,, are SCCs in place if required?)
• The location of services provided and of any backup data centres to ensure we meet correct data protection legislation requirements in those countries too
In short, if there is a requirement to use a country outside of the EEA for processing personal data (including access, transfer, storage, etc.), you should be looking to your benefits provider to ensure enhanced due diligence is completed in accordance with both EU and UK data protection legislation.
Receiving the adequacy decision gives the UK some certainty but I’d caution against complacency for anyone who is concerned with the handling of employee data. The decision is only valid for four years and can be taken away from the UK at any point if the EU feels that UK legislation or practices no longer meet the required standards. For those of us specialising in Infosec, it will be a watching brief!
With 22 years in the Royal Navy under his belt, our Information Security Director Chris doesn’t take any nonsense. If that wasn’t enough, he also spent 12 years working with an internet service provider dealing with customer management, support and day-to-day operations as well as yep, you guessed it – information security. Chris has achieved a lot during his time at Benefex, including successfully implementing ISO 27001 Information Security Management System and ISO 22301 Business Continuity Management System. If that went way over your head, the thing you really need to know about Chris is that he makes sure we’re looking after all your data at Benefex.
Our favourite thing about Chris is how passionate he is about his job. We’re also fascinated by the fact he boxed heavyweight in the Navy.