What does Brexit mean for GDPR?

Transferring data across Europe

 

The trade agreement, brokered at the end of 2020, outlines that transfer restrictions are delayed for at least another four months and can possibly be extended to six months.

 

That means personal data can still flow freely across Europe to the UK for the time being and, unless one side objects, the EU will not be treated as a ‘third country’ – a non-EU or non-European Economic Area country – in terms of the management of data across international borders, providing no changes are made to existing data protection legislation.

 

However, after April 2021, the Information Commissioner’s Office (ICO) recommends that, if a charity or other organisation receives personal data from within Europe, they put in place alternative data safeguards in place, if they haven’t done so already.

 

To help, the ICO has developed a useful interactive tool to use on contractual clauses for transfers into the UK. This includes across the border between EU member state Ireland and Northern Ireland. The ICO says it will continue to monitor the flow of data across this border “and provide any necessary updates as soon as possible”.

 

Charities are also advised to check whether or not they are storing data in the EU via cloud or local server for back up.

 

 

Data collected before the UK left the EU

 

The signing of the UK-EU Trade Agreement on 31 December 2020 is a key date. Data collected before this date needs to comply with EU data protection law. Data collected after this date needs to comply with UK data protection law.

 

This means that organisations are advised to ensure they know which legislation applies to which data, based on when it was collected.

 

 

Further information

 

The ICO wants to ensure data continues to flow securely to and from the UK and has produced a useful webinar on data protection and the end of the UK’s transition out of the EU.

 

 

The National Council for Voluntary Organisations (NCVO) is another organisation that can offer up-to-date information on the changing landscape for data protection in the UK post-Brexit.

 

To support its work in this area it has for the last three years used data protection consultancy Hope and May. Support includes information from Hope and May on what small- and medium-sized organisations need to consider around GDPR and Brexit.

 

The NCVO also emphasises the importance for charities of having clear policy in place for data protection. It says: “Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.”

 

Another source of information is the Directory of Social Change, which offers advice from data protection expert Paul Ticher on the implications of Brexit on GDPR specifically for charities.

 

Software suppliers to charities should also be able to help ensure data is collected securely and adheres to the relevant UK or EU law. For example, Microsoft 365 offers advice on how charities can simplify GDPR compliance.

 

This includes advice on how to discover and explore data, control where it is stored and migrating data to the cloud.