GDPR Mark Made Easy

Gdpr mark

okay so hopefully you can see a title slide how to prepare for a no deal gdpr brexit um as i said if you want to ask questions as we go through feel free to use the chat um if anybody joins i get a ping in my ear so if i look slightly distracted or hesitate while i'm talking it's probably because i'm letting somebody else uh join the call um but uh um yeah otherwise use chat to ask questions um or we'll pick them up at the end so my name's mark gracie and i run mark gracie gdpr and i support businesses with their gdpr compliance i do that primarily through a range of help line services on a subscription month-by-month subscription basis um at the premium end you get unlimited email phone support access to online resources and um hands-on help so i can take care of the um difficult or maybe you find tedious gdpr um compliance aspects um um or uh i can help you as you you go along um yourself um i'll talk a bit more briefly about that towards the end and my background is very much in a regulatory environment so i began working with data protection back in the late 90s when the 1998 that data protection act came into force i was working at an internet service provider at that point and that was the beginning of a 15 plus year career in uh regulation and compliance uh primarily in the internet industry and and telecoms but uh with a strong lead in data protection data retention and various other data related um issues and so today's session is about um the end of the gdp and sorry the end of the brexit uh transition period um which the government's confirmed will be on the 31st of december of this year um which means that from the first of january 2021 um we will be um completely outside of the eu so we've we've brexited already in the sense that we are no longer part of the eu but there's this this being this transition in 2020 which allows um for basically eu regulation and control um to carry on through throughout 2020 i think some people were thinking it was going to be paused or delayed on the basis that we've had to deal with coronavirus uh this year but um the government's made it clear that from first of january next year we will be out of the transition period and basically be on our own outside of eu so there are data protection connotations about that and in fact i'm beginning to get asked by quite a few people about the implications and so that's what this uh webinar is about um we're gonna look at uh i'm just gonna quickly go over the gdpr elements of restricted transfers and what that means so setting setting the scene as it were um and then we'll look at what this has got to do with brexit and also look at what this means in practice with some things for you to to think about in terms of taking things forward depending on what kind of processing you're doing and as i said there's a q a at the end but feel free to use the chat to ask questions as we uh go through so let's just have a recap on um where non-eu data transfers comes into into gdpr and so i often use this slide so apologies if you've seen it before if you've been on any other webinars i've run um but it's a basically a summary of gdpr in in one slide um just to recap we're talking about uh data protection and gdpr and that applies to the protection of personal data so any data that identifies an individual and the rules um or the principles of data protection set out what you can and can't do um and uh we haven't got time to go through all of this and we have the lawful basis and you have to have at least one of those applies to your processing at any time depending on the purpose the different purposes need to have different lawful basis and individuals rights the rights of the data subjects are the individuals data that you're processing and then there's the accountability principle which is about proving that you are gdpr compliant and that ranges from the use of tools and concepts like data protection by design and default and data protection impact assessments to making sure your staff understands data protection at a basic level so there's training and policies and and so forth and there's also a a clear obligation to to document your processing activities should you ever be asked to demonstrate that now i've highlighted um under the data protection principles it's not officially a data protection principle is defined in gdpr but it fits within the rules uh sort of section um and uh that's about non-eu processing and basically what that means is that um and this is covered in chapter five of the uh gdpr um it basically says if you're processing your data outside the eu then you must have appropriate safeguards in place um what those safeguards are will vary and so there are adequacy decisions which means the eu have declared that certain countries data protection laws are equivalent or or suitable to maintain eu um compliance so for example in that list there um in that top circle there's um andorra and argentina pharaoh islands guernsey israel new zealand switzerland etc if you process your data in argentina for example then you don't need to worry about any other safeguards because uh the eu have declared that argentina's data protection law is is appropriate um failing an adequacy decision so if you need to process your data in a country like the united states or india or china where that those their laws haven't been declared as um adequate um then there may be some other um mechanisms in place or safeguards in place now i've put a red line through eu us privacy shield because um if uh if you didn't know and i know there's some people on the call that attended a talk and i've got a slide just very quickly to summarize um i did a talk earlier this week about the fact that the eu us privacy shield has actually been declared invalid um and in reality that's the only um other safeguard that's in place so for all intents and purposes you can ignore that adequate safeguards in place bubble and and the eu privacy shield because that doesn't exist anymore in terms of being appropriate so no adequacy decision then you've left with basically um if there's an exception which is um the bubble on the left there's a number set out in gdpr um that means that you don't need to have adequate safeguards because other exemptions exist but the most common thing that most people will therefore be relying on if there is no adequacy decision um is to look at the use of some kind of contract now there are standard contract clauses or sometimes called sec abbreviated scc um or sometimes called model clauses and there's also binding corporate rules so binding corporate rules are for um large organizations who have um within a group of companies um operates around the world and if you're in the eu and you wish to pass say and some personal data to be processed by your parent company or another part of the business in a non-eu company outside country then you could make use of internal contractual clauses between the say the eu element of the business and the and the say the u.s element of the business um or the indian parts of business or whatever now these binding corporate rules are purely internal uh controls and they have to be approved by the uh regulator which for the uk is the information commission's office or the ico um so not many people use these because there's a usually a a month's um and a process you have to go through with the ico in terms of them validating your binding corporate rules but uh there there are some companies that do use that so the default tends to fall down to the standard contract clauses um and these are non-negotiable contract clauses set out in an eu regulation that essentially bind the um receiver of the data so that where the data is being processed um in a non-eu country and to eu standards of data protection and it also provides an element of recourse for the data subjects so the key tools to look for in terms of safeguards are essentially adequacy decisions so you're processing data in a country that um has been declared having adequate data protection and um the other alternative is you put in place these standard standard contract clauses or if you're if it's an internal transfer then you could look at using binding corporate rules or bcr as they've abbreviated um now where this fits into data protection in general and just to clarify there is of course a very wide definition of processing when it comes to gdpr and it's everything you do with your data so it's not just the purpose for which you're processing the data or you've collected the data in the first place and there are uh processing also covers the storage deletion editing and manipulating the sharing of your data and everything that you do with that data so it's important to be mindful that when you're thinking about where in the world your data is being processed if you're sticking it on a and sticking the data in a cloud storage solution like dropbox or onedrive or you're using a crm a custom relationship management system like say hubspot or you're using mailchimp for your email marketing whilst you are doing the actual processing of the data you're using their platform and because their platform is processing it for you or storing the data for you they are processing as well so they're considered data processors and whilst there's controls around how you engage with these data processors so you have to be sure they're gdpr compliant and that you've got a contract in place you also need to understand where in the world their data is being processed and if it's being processed outside the eu then you have to look up for one of these safeguards so don't think of it just about the fact that you might be transferring your personal data to a marketing company that operates out of india and they do your marketing for you it is that but it also could be where you're storing or sharing your data through platforms and cloud-based services and et cetera and i'll come on to why this is relevant in a second in a sec sorry relevant to brexit in a in a second um excuse me so i just briefly wanted to summarize um what's happened because of the shreds two case which has led to me striking out eu privacy shield on uh sorry eu s privileges shield on that slide um a couple of weeks ago a european court declared that um due to national surveillance programmes in the u.s so national law in the u.s um that gives the government power to seize data without any particular controls with no redress by the data subject which could include european citizens data the court declared privacy shield invalid and so the the downside of that is if you're relying on a data transfer and you're relying on privacy shield for a eu us data transfer you can no longer do that um which really means the default then falls to these standard contract clauses but there is now a question about whether they would themselves be valid if national law trumps um what the organization is that's processing your data and should or shouldn't do according to national law so for the same reasons the privileges shield have been has been deemed invalid the standard contract clauses are now in question as to whether it's appropriate to use standard contract clauses um and uh the court indicated that the data controller so the organization who is instigating the processing in a in a non-eea country and the super advisory authorities should really assess the risk to the processing under the standard contract clauses by a u.s organization so um the ico updated their um guidance uh at the beginning of this week on this and they basically said you shouldn't be relying on privacy shield anymore it is illegal to do so um you might be able to rely on standard contract clauses but you've got to carry out your um a risk assessment to determine whether it's appropriate for you to use standard contract clauses and the downside is if you look at what mailchimp google hubspot or whatever are saying about uh eu to us data transfers they're saying don't worry that provision shields being made invalid because we use standard contract clauses and they seem to have completely missed the point that the same reason privacy shield's invalid standard contract courses are potentially valid anyway i'm not going to say any more about this um it's a pretty big deal um for pretty much everybody because we all use in one way or another a us-based cloud service and to process some kind of data in some way as a site whether that's your email marketing platform or your your crm or just for storing spreadsheets in the cloud or whatever um so this is not a problem that's going to go away and we're sort of kind of waiting to see what the guidance from the ico um will be in in a more detailed sense than what they've said so far if you want to catch up on what this all means then uh if you go to uh my gracie gdpr.com uk my website and look in the blog section there's a blog post there that includes a recording of the session i ran um i think it was on tuesday so anyway that explains why i've crossed out us privacy shield as a as an appropriate lawful basis now this is really as so far as i said this is a background to gdpr and and um what's called a restricted transfer or international transfer is the the term that the ico use um which controls the processing of data outside the european economic area so big question what's this got to do with brexit well simply put um uk when we finish the transition period so from january next year will be considered what's called a third country so that means that processing data in the uk from the eu would be a restricted transfer so all of those rules that i've just covered in a summary of what gdpr says for example in terms of u.s data processing or processing data in india or china or whatever suddenly the uk falls within that category of of countries that are not no longer part of the european economic area and and therefore we need to look at what are the appropriate safeguards for eu to uk data flows um and this also means that you will need to think about what this means for your organization with regards to how you're processing your data or the data you process perhaps for clients depending on whether it's coming from the eu whether you're a uk only business whether you're processing data in in the states or um or whatever um so this is uh you know significantly um an issue um at the end of the transition period but actually a lot of it will come down to whether there's a deal or a no deal in a in a gdpr context um so what i mean there is obviously there's lots of negotiations going on between the uk and the eu and and the next slide's got some quotes from some statements that the eu various eu organizations have put out about the processing of data in the uk when it's no longer part of the eu um so in the uk we will have the uk gdpr so for all intents and purposes gdpr will carry on being our data protection law although obviously in the future the uk government can do what it likes with data protection but it would have to bear in mind um what the expectations of our our nearest probably uh business partners and trade and partners are likely to be ie europe but we will have a uk gdpr so we'll probably start talking about uk gdpr and eu gdpr but for certainly initially they will be exactly the same as what we're living under right now is gdpr and of course we have the data protection act 2018 which will continue to be a vehicle of controlling and implementing gdpr and dealing with some of the um the nuances in what you can and can't tweak within national law with regards to what gdpr says but ultimately when it comes to what the implications of brexit mean for gdpr and data transfers and data flows um is going to be about whether there's a deal or a no deal agreed between the eu and the uk so if there is a deal then we might find that we have an adequacy decision there may be some controls around the one-stop shop um and around the use of representatives and apologies i i did mean to sort of highlight that on a previous slide so when we were talking about the chapter five appropriate safeguards um stuff top left blue blue box um as well as these controls about making sure there's a safeguard in place and there are obligations that if you process data review eu citizens because you target eu citizens but you're not in the eu then you have to have somebody representing you on the ground essentially in the eu and they call it an eu representative and also the member states all benefit from what's called a one-stop shop so that means that if an infringement happens in france and you're based in france a lead authority is given to you as being probably the french regulator and they all operate on behalf of the nationalities in the member states of any data that's been breached or had an issue with so there's a lead authority a sign so that means that within europe you don't have to worry about whether you're if you're dealing with french citizens that you have to apply your national regulator and the french regulator it's all treated as one so that's what i mean by one-stop shop so apologies for missing that earlier um so yeah if there's a deal we could get an advocacy decision that's the eu saying yes of course you can process data in the uk it's all good um or that there could be some um more information about how we sit within this one-stop shop or whether we don't at all and whether we need an eu representative however if there's a no deal there's potentially no advocacy decision no outcome of deliberations about whether we can benefit from the one-stop shop and no uh and then potentially a need for eu representative so at the moment we don't really know what the outcome is going to be we're you know we're coming to be august next week so well this weekend so um you know we're only four months away from the end of the transition period and we're still waiting to find out and you know ultimately you might want to leave this until the last minute to just decide because something could happen in in december and it's all become suddenly clearer and you don't need to worry about it but potentially if we go down the route of a no deal from a gdpr point of view then we you will need to change probably the way you work if you if you've uh engaging with eu citizens or you're processing eu citizens data on behalf of eu organizations and that's what the rest of this presentation is going to be about so um in an ideal world we get a deal everything's sorted nothing really changes but in case that doesn't happen you need to be prepared um for possibly having to do a lot a lot of work towards the end of this year once we know that's for sure um or maybe into the new year depending on what the ico tell us to do and and so i'm going to concentrate from now on looking at the no deal because that's where the big issues are going to arise now in terms of what the eu was saying so there was a um a parliament european parliament's uh sort of um declaration as part of the negotiations between the eu and the uk that talks about data protection and says that the eu um council the parliament everybody who's making these decisions about whether we would have a deal that from a gdpr point of view or not and need to consider a number of things that may bring into question whether uk data protection law is equivalent to eu data protection law now that may sound stupid because we have um eu gdpr right now in transition and have done since it came into force in 2018 but it's not as complicated i'm sorry it's not as straightforward as that so as this statement from the parliament says there are elements in the data protection act 2018 that provides exemptions for immigration purposes which means that um uk citizens benefit from better data protection than non-uk citizens and therefore that is in contradiction to the concepts that actually eu data protection should travel with you no matter where you are in the in the world and there is also um an issue around the implementation of a data retention directive um which impacts on electronic community telecommunications data now my background's in internet and telecoms in industry and this was a big deal in in the fact that and the government can the uk government can ask a uk telecoms operator to retain data for um i think it's up to ten years um which they might not need for any purpose and this uh the eu have made clear is is very much outside the bounds of what the data retention directive actually originally intended so you know all things considered there's two very good reasons there the eu parliament are saying that um you might not want to give the uk an adequacy decision because whilst they are using and applying gdpr there are other elements of data protection law which um the uk have tweaked in there and to their benefits and not necessarily to the benefit of eu member states citizens data and then most recently so on the 9th of july so that parliamentary statement was from february from earlier this month the commission produced a communication on the readiness at the end of the transition period between the european union and the united kingdom um and uh it sets out some of the challenges that are ahead but in terms of recommendations it basically has said that um businesses need to submit businesses in the member states so not uk in in the european economic area um with the uk not included in that needs to prepare themselves for the possibility that there will not be an adequacy decision they're going to do everything they can to make sure that there is or at least they consider the the potential and of course as that previous statement i was talking about said there's some issues about whether adequacy is actually going to happen or not so what they are hinting at is you might need to think about what the appropriate safeguards are in case that there's a a no deal gdpr brexit essentially at the end of the transition so from from an eu member state perspective there's very much a potential that eu businesses that you may be working with might start asking you complicated questions around what you're going to do about ensuring gdpr compliance will you sign these standard contract clauses and so forth so let's let's look at what this actually means in in practice and i've set out uh four different scenarios depending on what kind of business you are in in the uk um and what kind of processing you're doing of eu citizens or or on behalf of eu business uh um or even non-eu or non-eea i should say processing as well so first of all simple if you're a uk business operates solely in the uk only process is the data of uk citizens so don't you don't have any um engagement with non-uk citizens nothing changes um there is no real impact whether there's a deal or not because uk gdpr will apply data protection act 2018 will apply you'll be answerable to the information commissioner's office and carry on as you do today and as you have for the last couple of years so if you're uk only no engagement with the eu no processing of eu citizens data uk completely then um there's no real change however it gets a bit more interesting from from here on in if you're a uk business and you're targeting eu citizens so you've got eu customers so this is not you as a processor on behalf of an eu company this is you doing delivering a service and your customers fill that service are eu citizens in the uk you'll be governed by the information commissioner office and uk gdpr and the data protection act 2018 if you have offices within the european economic area then your eu activities so the processing of eu citizens data will be covered by your eu offices essentially um and eu gdpr so you'll be answerable to whichever um lead authority and so that's the ico in the uk um the lead authority in the country that you are um domiciled in so for example um a lot of u.s businesses slightly obscure example but a lot of us businesses are based in dublin so if you had an office in dublin and you had an office in the uk and you were processing french customers data you would be answerable for your data processing in the uk according to the ico but you'd also be answerable to the irish data commissioner data commission because you have a a um you have offices or a presence in in ireland essentially even though it's french um french citizens you're dealing with that means that for eu processing your eu controls will be run out of your eu office and you will benefit from that eu office from that one-stop shop so you don't have to worry about the e um you know the the irish regulator the uk regulator and the french regulator if it's french citizens you would just need to worry about the uk regulator if it's uk citizens based although the ico probably pay attention if it was eu breaches as well um and the irish regulator in um in for the fact that you're domiciled in the eu as well now if you have no presence and no offices um in the eu but you're still processing eu citizens data so we'll stick with the french customers you might have um eu gdpr still applies uk gdpr still applies um you'll be answerable to lead authorities in the countries in which you have um caused an issue now potentially um because it's a french um french citizens we were talking about in our example you'll be answerable to the ico in the uk but you'll also be answerable to the french regulator um in in france for the infringements of the french citizens data now if you've got multi-member state issues then it's possible you may be arguable to those other member states uh lead authorities or regulators as as well and you also should look at what you're doing with your uh documentation your privacy policies so that you update everything to reflect the fact that actually the regulatory regime will have changed and so you'll need to update your privacy policies to explain how you're processing data who you're allocable to and so forth and obviously remove any any references appropriately when you talk about eu legislation because you'll be bound by uk legislation as well so you'll need to work out a set of wording to cover that scenario so that's uk businesses based in the uk targeting eu customers with a variation depending on whether you're based in the eu as well so you've got offices in the eu or whether you don't have offices in the eu and in addition to being um not party to the one-stop shop in the eu um there is also the fact that you will need to probably appoint a eu representative so that's somebody who acts on your behalf for data protection measures to all of the eu regulators um and they have to be domiciled in the eu so there are companies that people use um already that exist because this applies to anybody else so a u.s business targeting eu citizens for example has to have an eu representative um and um some of those may be in in ireland or they may be in france or wherever depending on who you want to choose so there is a potential there that you will not only be bound by different laws depending on where the citizens are from and where how you operate but you may also need to have a eu representative and pay somebody to take on board your or act for you within the eu from a data protection point of view and there are companies as i say that provide that as a service now if you're a uk processor and you are processing on behalf of eu customers so the controller for the the data controller for the personal data is in the eu but you are a data processor that they use for processing so that could be you run a cloud-based service that say a french company uses or you could be a uk processor that does marketing on behalf of uh companies in france um for for whatever reason but if you're seen as a data processor and they're seen as the data controller and they're based in the eu your processing activities because you're based in the uk are governed by uk gdpr data protection act 2018 and enforcement or answerable to the information commissioner's office your clients will still be applying eu gdpr which says that if you're processing data outside the european economic area you need to apply appropriate safeguards and of course uk will be seen to be outside the european economic area so if there is no adequacy decision this comes down to you probably having to agree to standard contract clauses now these aren't as i said before non-negotiable so they literally are a cut and paste from an eu regulation into into a contract but that means you are likely to enter into new contract negotiations and and whilst the non-negotiable part of that contract the standard contract clause is bit is non-negotiable so that has to be the same obviously uh some companies top and tail it with other conditions and things as well so you'll need to be mindful of that and again you'll need to uh make sure your privacy policies and everything are up to date and you've got enough information to help the individual uh controllers in from the eu in terms of understanding what you're doing and why it's lawful for them to to use you so if you're targeting eu citizens that's the previous slide if you um you may need an eu representative if you don't have uh offices or um a presence in the an eu country um if you do have friends in a new country then you'll be arguable to the eu part of your processing activities in the eu but if you're processing and seen as a data processor in the uk for eu controller so this is eu to uk data flow then your eu customers or the partners or wherever you're working with will need to consider the fact that the uk is now a restricted uh transfer of data and therefore that they need to apply appropriate safeguards and ultimately that's going to come down to standard contract causes unless of course the eu say that there's an advocacy decision that they're willing to uh to agree to um and then finally um we mustn't forget that there is still a control for processing data outside the eu and um that will be true for uk businesses as well so if you're continuing to process data in china india the us or whatever then you need to consider the implications of where that will sit within the uk so again because you're in the uk you'll be bound by the uk gdpr data protection act 2018 um and um enforcement by the information commission's office um the government has said that transfers to europe so if you're processing your data in europe so if you're a uk company and you've got a server or storage space or you're using an application that's run out of dublin or or some other um european member state france germany spain etc then there won't be any restrictions so we won't see from a uk law perspective that's non-uk data protection processing in europe is considered a restricted transfers there will be no restrictions we will deem all european economic area countries as being adequate and therefore those processing and that transferring can carry on as it does today um the uk will also probably um there's a strong indication that they will recognize any eu adequacy decisions and any other safeguards for non-ee data transfers so if the eu says it's okay to process data in argentina israel new zealand etc then it will be also okay for you from the uk to process your data in those countries as well so if there's an adequacy decision from eu the uk will recognize those if there are other controls or safeguards put in place for non-eea data transfers then the uk will probably recognize us as well that also of course brings into question what uk will do with the fact that privacy shield has now been um essentially deemed invalid um and it's now illegal um to use and so uh whatever comes out of that from an eu perspective will probably apply to the uk as well unless for whatever reason the uk decide to do as part of a trade deal a uk us equivalent of privacy shield in which case that may bring into question um some adequacy issues but um it's all up in the air in that in that regard but essentially you'll be able to carry on processing data in the eu without any restricted transfers if you're processing data outside the european economic area and outside the uk then it will fit in with whatever eu are saying um unless the uk come up with its own plan but there's no indication of that at the moment and again you'll need to update your privacy policies in the other documentation particularly around how you reference the different pieces of legislation how you're doing the processing and so forth so so those are the key four areas of consideration and uh you know if you're sat here thinking well i'm a uk business i don't process data um outside of the uk and i only deal with uk citizens then there's very little that you need to worry about it's when you're processing data on eu citizens either because you target them or because you act on behalf of eu companies and process their data for them um or if you're processing data outside the eea then you've of course got to bear in mind those gdpr restricted transfers and those will be essentially the same in uk gdpr as they in eu as they will are currently in eu gdpr so what should you be doing now well the key thing is keep an eye out for any ico guidance any guidance or hints from the eu about what they're telling the member states to do post um what the uk government might say usually the best way is to see what the ics say they tend to publish statements or even publish guidance or tell the government what the position is so probably the ico european data protection board is another area to keep your eye on as well so and over the next four months or so um i would imagine that we'll get a steady flow of of updates as and when they happen but we need to be mindful that that might not happen until towards the end of the transition period so it might be a mad rush at the end of this year to tidy up some things however there's a possibility your customers might be coming to you already and starting saying to you we need you to sign standard contract clauses regarding what happens with the brexit transition um and so you need to be prepared for that and so step one keep up to date with what's going on step two um work out get a plan in place decide how you're gonna address this issue whether you're going to leave it to the last minute whether you're going to work with your clients or whether you're already being forced to work with your clients that are bringing this into question and the key thing for you to do really right now is make sure you know where in the world your data is being processed and identify which ones are going to be impacted by these changes particularly if there's an a no deal brexit from a gdpr perspective and you shouldn't find that too difficult because the accountability requirement to have a documentary evidence of um what data you have should also record where in the world that data's being processed so that should be relatively straightforward um review your documents and your policies and make sure that they are up to date and reflect a potential change in in the way forward if you're relying on data protection impact assessments for your processing activity and those dpia make reference to any controls or checks and balances you have in place regarding international data flows then you'll need to review those as well be clear on who's going to be the lead authority for the citizens data so if you've got customers in france germany and spain then you need to bear in mind that um you may be answerable to their regulation um accordingly um as a non-eea processor um if necessary you need to work out how you're going to appoint an eu representative um and uh oh just a quick note actually a side note i mentioned mentioned meant to mention earlier um there is also a potential that there will be a need for uk representatives so organizations outside of the european economic area who want to process and target uk citizens so um there's uh it shouldn't impact on you because you you won't be needing one of those but um just so you know that the government are talking about um a u.s company for example targeting the uk will um and eu customers will not only need an eu representative or to be domiciled in the eu but they will also need either to be domiciled in in the uk or have a uk representative but a step seven there determine if you need an eu representative basically um and who you're gonna use um and that will typically be somebody operating in the member states where you have most of your customers and when they're in the uh the eu member states um i've just got a question come through but i'll just finish this and then i'll come back to it determine where you might need to use standard contract clauses and expect some engagement from your eu customers so as i said before you can expect people to start talking to you about this if they need to and they may try and push you into signing standard contract clauses so that's step two of deciding on what you're going to do how you're going to act needs to also include a plan about how you deal with people trying to get you to sign up to new contracts which include the standard contract clauses um and that's really um that's step nine as well is being prepared for how you deal with that um and um as always with data protection and gdpr document as much as you possibly can in terms of your approach and your decisions particularly if they're a bit borderline as to what you should we shouldn't be doing because that documentary evidence is a great way of proving your gdpr compliance and your approach to it okay uh so i've got a question if you have an office and process in a country with an eu adequacy decision will that require an eu representative no if you're if you're processing say you're processing your data in new zealand eu has an agreement that new zealand's data protection law is equivalent to gdpr and therefore you can process your data in new zealand and the uk government have indicated that if the eu say it's okay then it will be okay from a uk perspective as well so um so that's one way of looking it now if you have um if you have an office in new zealand do you need an eu representative and so if you're if you if the question is if we have a just picking new zealand as a random example because i have an adequacy decision if you're in new zealand targeting eu citizens you will still need to apply the gdpr and i think you will also need an eu representative and the problem is if you're in the uk and new zealand and the new zealand office targets the eu and the uk deals with uk only you having an office in the uk won't count because um uk will be outside the eu um yes so it will only work if you have an office in the eu whether regardless of where you may be working from so if you're in a new zealand company but you've also got an office in in france then you don't need a representative because the french arm of your business will be the the will be responsible and so i hope that answers that question okay so that was all i wanted to cover um obviously there's some complexities here and trying to work out what what you do or don't need and what that might or might not look like um as i said at the beginning i provide support services um to businesses um i can certainly help you with this whether that's working out whether the cassandra contract clause is a a right and and correct or whether you should be applying them or not whether you're being put under pressure to sign things um but yeah i can pretty much help you with any aspect of that in fact i've worked with businesses uh on and off over the last couple of years since we had the various brexit trans brexit periods of where we were or weren't going to to leave with or without a no deal and and certainly some businesses were finding they were being pressured and they were also being pressured by non-eea um organizations as well um with regards to all of this excuse me um but yes if you if you need some help then please do do get in touch um if you found this webinar useful and helpful um then um just to fill you in on on a few other things i've got a um a present a webinar that's free next week um on the 6th of august looking at the gdpr implications for the new normal and specifically looking at what this means for and the fact that we're we've sort of had to panic in terms of getting things in place because all of a sudden we're not allowed out and we have to get our businesses working remotely and and all these kind of things to actually moving more towards a transition of a so-called new normal where you can't rely on the fact that you did your best you've got to make sure it's all in in order you might be using zoom and you've got employees working from home you might be testing employees so there's a free webinar where i'll be covering all of those things on the sixth and if you're interested in learning more about the shems 2 case that's the thing that's basically perpood the privacy shield making it invalid and also brings into question whether standard contract clauses with us businesses um is appropriate or not then um i run a a monthly meet up for data page protection practitioners it's an online thing done through zoom um and we will be talking about shrimps too and that's on on tuesday so again that's free to join um and then from the 7th of august which is next friday um i'm beginning a restart of my 10-week gdpr workouts where i look at um the various different elements of uh gdpr compliance in in a lot of detail so much more than than you would get from a free webinar that i run although the first one of those 10 is a refresh of gdpr and is actually free and so yeah take a look at that and if there's anything there that you're interested in feel free to sign up if the dates don't work then um sign up and just like this one uh this webinar um i'll be sending around recording so if you want to get the recording then um then uh sign up anyway um but uh that's that's the end of the presentation we've got about 10 minutes um in which to take any questions i think i've answered all the questions that came through through chat and so what i'm going to do is i'm going to stop the screen share and i'm going to stop the recording and then if