Brexit and the EU Referendum
General Data Protection Regulations (GDPR)
The EU General Data Protection Regulations were accepted into UK law in 2018 as the UK Data Protection Act. Should the data protection act be amended, we would need to ensure our organisational practices mirror those of the GDPR, to ensure we can continue with international transfers of data, contracts with suppliers or any use of EEA businesses or services.
What have we done?
We have provided and continue to provide information to staff to aim to continue to ensure a seamless flow of data to and from the EU and EEA.
We are asking staff to be aware of relevant data flows (i.e. where data is being transferred from and to partners in the EEA). Staff should be aware of the location and nature of the partners or third parties we are working with and if any of these are based in the EEA. They will need to consider whether we have a legal basis and contractually binding agreement which governs the transfer of data. Finally, staff should demonstrate compliance with the current GDPR in how a project or initiative is run to help reassure partners that our data processing is safe.
Where can I get support?
Should I be concerned about the impact of Brexit on the data I use?
You will need to address this issue in circumstances where:
- You send personal data outside the UK
- You receive data from the EEA
- You receive data from countries deemed to have adequate data protection laws by the EU
Will I be able to work with other bodies in the EEA on research projects involving data sharing?
In order to work with other bodies in the EEA, you will need to reassure them that any data that is managed here is being done in compliance with the GDPR - adopting compliant practices and being able to demonstrate compliance is key.
How can I make a compliant transfer of data?
We assume that the UK will not be granted an Adequacy Decision (a situation where the EU consider our data protection practices equivalent to GDPR) before the date of UK exit from the EU. In order to be compliant, you will therefore need to have an appropriate safeguard for the data transfer (such as Standard Contractual Clauses, or Administrative Arrangements) or contact Information Assurance Services to discuss using a relevant exception allowed under the GDPR.
What does this mean for any contracts I may have involving parties in the EEA?
It means that you will have to review your data flow to identify what data is being transferred, the sender and the recipient, to determine if your contract needs to be amended to ensure that your data flows under the contract will continue after the UK exits the EU.
If the University is GDPR compliant, why do we need to take extra steps post-Brexit in relation to data protection?
Once outside the EU we are no longer automatically viewed as a ‘safe’ country in terms of data processing, therefore we need to take additional steps to demonstrate that our practices are compliant.