Info Sec and Privacy Roundup 2020

Well … what a year this has been! I’ve not been able to post for a while and this year has been largely a time for consolidation and reflection as well as change.

Besides the obvious impacts that Covid-19 has had on individuals such as their employment, health, personal relationships and family life, more intangible effects have included the relationship between the individual and the state. I’m sure no one in their wildest dreams could have predicted twelve months ago that the population of the UK would have restrictions placed on their freedom of movement and measures put in place to close sectors of the economy for a protracted period of time.

These items alone are a formidable challenge, but this was also the year the UK left the EU and organisations have had to prepare for the eventuality of a deal/no deal outcome with the Sword of Damocles held over our heads. At least this has now been settled with a deal at the eleventh hour. It may not be perfect, but this agreement should provide some welcome certainty in these tumultuous times.

I've pored over the new agreement and I have included where the provision for EU/EEA data flows to the UK may be found below within this document as well as some news on ISO certifications.

Brexit Temporary Personal Data Flow Arrangements

You may have seen that a temporary transition arrangement has been agreed between the UK Government and the EU to allow for personal data to flow freely from the EU/EEA to the UK for up to six months after the transition period ends on 1st January 2021. (Data flows from the UK to EU/EEA and other adequate third countries will continue as normal).

The ICO have also confirmed this arrangement within the Treaty see:

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on-the-extended-period-for-personal-data-flows-that-will-allow-time-to-complete-the-adequacy-process/

This is contained within the summary document published by the UK Government of the agreement under Part 7 – Final Provisions Section 182 on page 32.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948093/TCA_SUMMARY_PDF.pdf

For those who wish to see the full provision in the original text of the agreement published on 24th December 2020, see Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom. This is on page 406 of the agreement.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948119/EU-UK_Trade_and_Cooperation_Agreement_24.12.2020.pdf

Although this means that the status quo will not change for up to six months to allow time for the European Commission to decide adequacy status of the UK as a third country, organisations should use this extra time to prepare for alternate mechanisms for personal data flows as a contingency measure in the event that an adequacy decision has not been made during this period.

ISO Certification News

ISO Certificates accredited by UKAS should still be recognised across Europe as UKAS will remain a member of the European cooperation for Accreditation (EA). UKAS accreditation is recognised as technically equivalent by other signatories of the EA Multilateral Agreement.

The International Organisation for Standardisation (ISO) is currently reviewing ISO27001 Information Security Management and the accompanying best practice standard for implementing an ISMS (ISO27002) is currently being developed. We will update you on the latest news on these updates next year.

We wish you all a happy new year and hopefully 2021 will be a year of recovery and progress for us all.

Disclaimer: Please note that this article reflects the opinion of the author only and should not be construed as legal advice. The author takes no responsibility for the security of the external web pages referenced by the URLs within this article, users may browse to these sites at their own risk.