Data protection is a priority for all charities, but how does the UK’s departure from the EU effect legislation in this area?
Charities use of data and how they store information changed dramatically in 2018 when the EU’s General Data Protection Regulation (GDPR) came into force.
This tightened up legislation across Europe around the transfer of personal data across borders and gave individuals greater control over their data.
For charities, the change meant ensuring people have a clear choice about the information that is held about them and how it is used. Procedures had to be altered to give users more of a say, and customer relationship management systems had to be reviewed to ensure data was handled securely.
In practice there is little change to the key principles to protect data and the rights of individuals around information stored on them.
Despite the EU’s GDPR no longer applying to the UK, it has been incorporated into UK data protection law so the UK’s GDPR still applies. This sits alongside the UK’s Data Protection Act of 2018.
The UK does have the power to change and develop its data protection legislation. There are no plans in place to do so, but under the terms of the UK’s departure from the EU it is required “as far as is reasonably possible” to notify the EU if the UK plans to do this.
The trade agreement, brokered at the end of 2020, outlines that transfer restrictions are delayed for at least another four months and can possibly be extended to six months.
That means personal data can still flow freely across Europe to the UK for the time being and, unless one side objects, the EU will not be treated as a ‘third country’ – a non-EU or non-European Economic Area country – in terms of the management of data across international borders, providing no changes are made to existing data protection legislation.
However, after April 2021, the Information Commissioner’s Office (ICO) recommends that, if a charity or other organisation receives personal data from within Europe, they put in place alternative data safeguards in place, if they haven’t done so already.
To help, the ICO has developed a useful interactive tool to use on contractual clauses for transfers into the UK. This includes across the border between EU member state Ireland and Northern Ireland. The ICO says it will continue to monitor the flow of data across this border “and provide any necessary updates as soon as possible”.
Charities are also advised to check whether or not they are storing data in the EU via cloud or local server for back up.
The signing of the UK-EU Trade Agreement on 31 December 2020 is a key date. Data collected before this date needs to comply with EU data protection law. Data collected after this date needs to comply with UK data protection law.
This means that organisations are advised to ensure they know which legislation applies to which data, based on when it was collected.
The ICO wants to ensure data continues to flow securely to and from the UK and has produced a useful webinar on data protection and the end of the UK’s transition out of the EU.
The National Council for Voluntary Organisations (NCVO) is another organisation that can offer up-to-date information on the changing landscape for data protection in the UK post-Brexit.
To support its work in this area it has for the last three years used data protection consultancy Hope and May. Support includes information from Hope and May on what small- and medium-sized organisations need to consider around GDPR and Brexit.
The NCVO also emphasises the importance for charities of having clear policy in place for data protection. It says: “Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.”
Software suppliers to charities should also be able to help ensure data is collected securely and adheres to the relevant UK or EU law. For example, Microsoft 365 offers advice on how charities can simplify GDPR compliance.
This includes advice on how to discover and explore data, control where it is stored and migrating data to the cloud.