Part 2: What’s new for in-house counsel — data security

Part 2: What’s new for in-house counsel — data security

In our May 2021 monthly session for in-house counsel, over 190 professionals came together to hear Iain Larkins, Radius Law’s founder and CEO and Sandra Martins, Radius Law’s head of employment, provide an update on essential topics.

Part 2 of this series of 3 on the talk focuses on key themes in data security, providing links to useful guidance on various issues in the sector.

Data adequacy

Iain reminded us that the new deadline of 30 June 2021 for a UK data adequacy decision is looming. However, even if an adequacy decision is granted, there will likely be legal challenges similar to those concerning EU-US personal data transfers. Businesses which rely on the free-flow of personal data from the EU should make contingency plans.

Standard Contractual Clauses

The default position would be to move to standard contractual clauses (SCCs).

The Commission has published proposed draft new SCCs under the EU GDPR (Draft New SCCs). For further guidance, including on plans to revoke the existing SCCs, see the section on ‘New SCCs’ in Practice Note: EU GDPR—transfers of personal data internationally and to international organisations—Standard contractual clauses (Model Clauses).

Lawyers should bear in mind Schrems II, which held that SCCs must be accompanied by a risk assessment of the third country and be able to ensure that 3rd countries have similar level of protection to the EU.

Iain commented that recent decisions, such as the ones taken in Germany and Portugal, have shown that data protection authorities are no longer paying lip-service to the ECJ’s decision, but are taking action against companies who fail to meet the necessary standards.

See News Analysis: Bavarian DPA declares transfers to US email marketing service prohibited due to Schrems II and MLex: Cloudflare targeted by Portugal's data protection agency, risking tensions with US.

When transferring data to 3rd countries with lower data protection standards, businesses should consider:

  • anonymising the data
  • providing an advanced level of data encryption

Data representative

Iain felt that one of the most overlooked obligations in the EU’s General Data Protection Regulation (EU GDPR) so far is the requirement for organisations that are subject to EU GDPR but outside the EEA to appoint a data protection representative (DPR).

However, following the fine announced on 12 May 2021 for from the Netherlands supervisory authority for failure to appoint a DPR, this is now likely to receive much more attention.

See News Analysis: fined €525,000 for failure to appoint data protection representative.


In January 2021, the Information Commissioner’s Office (ICO) announced it was resuming its investigation into the adtech industry (see: LNB News 22/01/2021 41), which it has paused in May 2020 (see: LNB News 07/05/2020 68). The investigation is focused on concerns with real time bidding—this is the classic social media type advertising, whereby web adverts are sold at the ‘blink of an eye’ based on the user profile. The ICO has previously stated that it considers all real time bidding practices to be non-compliant with the GDPR so those making use of adtech should take care to follow any updates by the ICO or other industry bodies.

Among these, Iain highlighted the guidance published by the EDPB (see: LNB News 23/04/2021 8). He felt that these guidelines are useful inasmuch as they raise considerations that stakeholders should take into account, but it doesn’t really provide solutions.

Businesses will have to consider if they want to suspend adtech activity pending the ICO report, until there is full clarification on these issues.

For more information, see: Online advertising and adtech—overview.


44% of respondents to Iain’s poll felt that their businesses have some or large gaps with their cybersecurity programme.

This seems to echo what the government has found in its 2021 cyber breach survey (see: LNB News 24/03/2021 109). This showed worrying statistics among businesses’ preparation for cyber attacks, likely at least partially linked to the rapid transition to home working.

The government is urging organisations to follow the National Cyber Security Centre’s guidance.

Iain felt that it is worth asking your business’s IT department what they have in place to protect the business from cyber attacks.

For further information on cybersecurity, including an A-Z of cyber threats and Precedents, see subtopic: Cybersecurity & cybercrime.

Click here for parts 1 and 3 in this series, for an overview of hot issues in the corporate and commercial sphere and ESG, and in employment law.

Upcoming Senior Counsel event

Join us for the next dedicated session for in house counsel:

The power of an effective learning, development and training strategy

Wednesday 23rd June, 10:00 – 10:45

Register today


Related Articles:
Latest Articles:
About the author:
Gloria is a Paralegal in the Lexis®PSL Paralegal Hub. She graduated in International Law and Globalisation from the University of Birmingham in 2019 and has been at LexisNexis UK since March 2020. She has experience working for US, UK and Italian law firms on a range of matters, including IP, financial services and immigration law.