Brexit and its implications for GDPR can seem like a scary concept, especially with a no-deal looming, so we’ve put together some information and advice for charities.
GDPR. GDPAAaaaaagh. Like the wailing winds, those four letters have been blowing a chill through all of us for quite some time. And with Brexit looming on the 31st October (Halloween, no less), it’s extra scary. Organisations who fail to comply with GDPR, the EU’s data protection regulation that came into force in May last year, face fines of up to 20 million euros, or 4% of their annual turnover. So, what does a no-deal Brexit mean in terms of GDPR compliance for your charity? You are not alone in being confused, so we have put together some information and advice for charities.
Although we don’t know exactly what will happen after Brexit, you can expect that a UK Data Protection Act will apply, that is similar to EU law. There are guidelines for UK organisations receiving personal data from international partners in the EEA. UK charities will be able to carry on sending personal data to the EEA. But what happens if there’s no Brexit deal? Well, in that case, charities will need to adhere to The Data Protection Act. The chances are, GDPR guidelines will be drafted into UK law, updating the Data Protection Act to an equivalent level of compliance so that the UK will be able to continue to do business with Europe. Exactly what form these changes will make is unknown - you’ve got some time though as the UK’s data protection standards will not change overnight, so keep an eye on updates.
The ICO have prepared advice for small to medium UK orgs to continue moving data legally between the UK and the EEA. If you already adhere to GDPR regulations and have no contacts or customers in the EEA, you don’t need to do much more. But if you do get personal data from the EEA, you’ll need to do a bit more. In a no-deal Brexit, small and medium sized charities accessing personal data from the EU are advised to revise and update their contracts. If you haven’t already, review your contracts and processes to ensure they comply with the current guidelines. If you don’t, your charity could lose access to personal data that will affect your operations. If you haven’t already, review your contracts and processes to ensure they comply with the current guidelines. For most charities, this can be achieved by establishing a contract between you and the sender on the EU’s terms called standard contractual clauses (SCCs). SCCs are terms and conditions that the sender and receiver of personal data both agree to and protect personal data when it leaves the EEA. If we leave with no deal, you’ll need to set up the contract before the 31st October deadline. If you are a larger organisation, or you already have processes in place for data transfer, you should read up on international transfers. GDPR restricts the transfer of personal data to countries and international organisations outside the EEA. You can send anonymised data outside the EU. If you can anonymise personal data so that no one could ever be identified, even when combined with other information like the opening hours of your charity, address of the office etc, it’s no longer personal data so the restrictions don’t apply. You might need to make a restricted transfer if you are sending personal data outside the EU that could identify a living person. You need to know if the country you are sending it to is covered by the EU Commission’s ‘adequacy decision’ which refers to countries with laws deemed adequate. If you are sending data somewhere not considered ‘adequate’, you should find out if there are appropriate safeguards in place to protect the personal data and your charity. The UK might not automatically be granted adequacy status so its best to make sure your contracts are iron clad.