Now that we have had time to get used to the obligations and expectations placed on the University as a result of the General Data Protection Regulation (GDPR) coming into force in May 2018, we next need to consider the changes that Brexit will have in this area.
A frequently asked question is whether GDPR will still apply to the UK once we have left the EU at the end of the transition period.
The answer is Yes, as the UK intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK. It will sit alongside an amended version of the Data Protection Act 2018.
The key principles, rights and obligations will stay the same – but there are implications for the rules on transfers of personal data between the UK and the EEA.
How should we prepare for the changes?
- Understand your flows of personal data with EEA countries. Most important will be the transfers from the EEA.
- Think about how to continue to receive these transfers lawfully after exit date.
- Consider whether you need to put appropriate safeguards in place to transfer the data lawfully.
You can keep making transfers of personal data from the UK to the EEA under UK adequacy regulations.
How can personal data lawfully be transferred from the UK?
If you need to transfer personal data out of the UK after exit date:
- the UK version of the GDPR will apply to this transfer;
- the UK GDPR does not apply to the importer of the data – usually because they are located outside the UK (which may be in the EU, the EEA or elsewhere);
If your restricted transfer is not to the EEA, you should proceed as you would have before Brexit.
- You will be able to make a restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a country, territory or international organisation, has an adequate data protection regime.
- The UK government intends to recognise the EU adequacy decisions made by the European Commission before the exit date This will allow for restricted transfers to continue to those covered by a decision.
- You will be able to continue to transfer personal data to US organisations participating in the Privacy Shield if they have updated their public commitment to comply and that it applies to transfers of personal data from the UK.
- It is hoped that by the end of the transition period, the EU will have reached a decision on adequacy.
- If there is no adequacy decision which covers your transfer, you should consider putting in place an appropriate safeguard.
- Most commonly we rely on the use of standard contractual clauses. The UK government intends to recognise EC approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK.