Deal or no deal and the impact on GDPR for schools.
The general data protection regulation is a European regulation which means it is the law in all member states and also applies to European Economic Area (EEA) states. Currently personal data can move freely between the UK, EU, EEA and Switzerland. In the event of a deal with the EU, it is likely that there will be a withdrawal agreement which will provide a transition period. During this transition time the GDPR will continue to apply in the UK and schools won’t need to take any immediate action. At the end of the transition period, unless there are changes made during this period, the default position would be the same as for a no-deal Brexit.
If the UK leaves the EU with a withdrawal agreement in place, then there will be a transition period and schools will not have any immediate action to take. (This also means you have a breathing space!)
However, if the UK leaves the EU without an agreement in place, in Data Protection terms, the UK becomes a third country as it will be outside the EU. In this scenario, schools will be required to be prepared for the deadline date as the EU GDPR will no longer be the law in the UK. (There is no breathing space in this scenario I’m afraid!)
According to the Information Commissioner's Office (ICO), the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’) and will sit alongside an amended version of the Data Protection Act 2018.
Preparing for a no-deal Brexit impacts on many schools around the world and not just those based in the UK. Next we’re going to explore the six key areas that schools should consider:
Data Processor and Contracts
Privacy Shield and the UK
Policies and Procedures
Now let’s take a look at the impact of a no deal Brexit on the above key areas and what actions schools will need to take in these scenarios.
Have you mapped out where your current school data is being transferred (data flows)? If you haven’t already, you should, as this is a key part of evidencing sufficient measures in GDPR compliance.
Take a quick look below at the different data flow scenarios and the action you may be required to take:
UK to EEA - The UK government has confirmed that transfers will still be allowed, with no additional safeguards required.
UK to International - With adequacy, (We’ll cover this in more detail shortly.), no additional requirements are necessary. Without adequacy, you should have appropriate safeguards in place.
International to UK - Safeguards should already be in place, therefore, no action required.
EEA to UK - The school should check the current agreement with the UK processors.
Manage GDPR compliance with 9ine's new web app, providing schools with a framework and plan for evidencing compliance with data protection and associated law.
DATA PROCESSORS AND CONTRACTS
The final bullet point in the list above brings us to another key question. Do your contracts with third party suppliers include data protection clauses? You should check your current contract and see if they have data protection clauses or EU/UK approved Standard Contractual Clauses (SCC’s).
This will help you identify which of your third party suppliers will be required to update their own policies in order for you to be satisfied that the suppliers and contractors that your school is working with are compliant. This could include management information systems (MISs), payment gateways, automation platforms including marketing and communication platforms and medical and sports systems to name a few! The ICO also has approved Standard Contractual Clauses (SCC’s) which can be used by UK schools.
If the UK leave the EU all schools, including UK schools, should check the terminology used in its privacy notices as it needs to be changed and you may need to refer to the Data Protection Act 2018. However, the information required in your privacy notice is unlikely to change. You may need to (a) review your privacy notice to reflect changes to transfers, (b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ e.g GDPR or other terminology changed in the UK GDPR.
Adequacy (as mentioned in my earlier point about data transfers), is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies, organisations and schools operating within countries with adequacy agreements enjoy an uninterrupted flow of personal data with the EU!
However, as the UK is currently part of the EU it has not been necessary for the UK to obtain adequacy. In turn, when the UK leaves the EU it will not automatically obtain adequacy and will be classed as a third country and any assessment of adequacy can only take place once the UK has left the EU. Stay tuned as this process can take years!
Until an adequacy decision is agreed on schools and businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.
This key area only affects UK schools that transfer data to the US. The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
If your school is working with a provider that is certified by the Privacy Shield, you will need to ensure that the provider has updated its privacy policies to include UK-US. It’s a small but important update that schools rely on to demonstrate a providers commitment to comply with the Privacy Shield. You can usually confirm this simply by checking the US Privacy Shield framework.
POLICIES AND PROCEDURES
The final area that we’ll cover is policies and procedures. The good news is that the information required in your record of processing activities is unlikely to change. However, you may need to review it to reflect changes regarding transfers from the EU to the UK. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to ‘union law’ or other terminology changed in the UK GDPR. Existing assessments may need to be reviewed in the light of the UK GDPR; for example, if they cover international data flows that on exit date become restricted transfers.
When you review your Data Protection Impact Assessment, (DPIA), take the time to check where the processing takes place or where data is transferred to as you may need to update your documentation.
At 9ine, we completely understand the various roles and responsibilities that data protection officers (DPOs), IT managers and school leaders are expected to carry out as many of us have also held these roles in schools too. We also understand that when it comes to compliance, the wellbeing of students and staff is at stake. This is why we think it’s imperative that schools stay up to date with policy changes that impact on the way schools process and transfer data.
Taking measures now to prepare your school for Brexit will help you organise your time, avoid a harmful data breach and help your school to keep working towards compliance. Remember, these small steps will ultimately help you to protect your school’s reputation. Setting some time aside now, to review the six key points we’ve discussed means you’ll be in good shape for when the UK leaves the EU. If and when it happens!
ABOUT THE AUTHOR:
Judith Downing, Senior Data Protection Consultant, has almost 20 years of experience working in the field of data protection and has a BCS Practitioner Certificate in Data Protection and is also a certified GDPR practitioner. She currently advises schools in the UK, Europe and internationally on all aspects of data protection compliance either through our service desk or on-site audits.