Brexit may prevent EU online processing
It is hard to avoid the news about whether there will be a ‘Deal’, ‘No Deal’ or a Hard Brexit.
Education will be affected and as a result, the DfE has published advice to prepare schools for each eventuality. This covers teacher qualifications, travel, pensions, university places, and many other areas where data is processed in the EU.
The DfE data protection page points to the Department for Digital, Culture, Media & Sport advice, and the ICO guidance. Since it is mandatory to make Privacy Notices clear for everyone to understand, their advice is a little sparse.
Some companies which process data and offer services *under your instruction*, are taking a risk averse approach to it all. Some US firms have discontinued their services within the EU due to GDPR. What they really mean is that they cannot change their software or business model to adequately protect you or give you more control and ownership of your data.
A recent article by Forbes explains that if a Brexit deal is not struck many U.K.-based citizens and businesses won’t be able to access data held in an EU-based cloud. This will impact schools using software and apps where the data is hosted in an EU-based cloud. There could be a period of time where the processing of data between the EU and the UK cannot take place. Whilst agreements can be put in place, there simply wouldn’t be enough time to do so in the event of a ‘No deal’ outcome.
In the article by Forbes, Clive Halperin, a partner at London law firm, GSC Solicitors LLP, and a specialist in data protection, technology, and internet law, explained: “In theory, legislation could make it possible to easily transfer data to a Third Country, which is what the U.K. will become.”
It is not all doom and gloom though!
The ICO points out that there are already many areas where agreements have been discussed and published. If you are sending data outside of the EEA then arrangements are in place. Standard Contractual Clauses and adequacy decisions such as Privacy Shield with US based companies can be used. Where an adequacy decision exists the UK Government have said it “intends to recognise the EU adequacy decisions which have been made by the European Commission prior to the exit date. This will allow restricted transfers to continue to be made to most organisations, countries, territories or sectors covered by an EU adequacy decision.”
But what about the EU?
The UK government has stated that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted. It says it will keep this under review.
So what is the risk then?
Companies that are part of Privacy Shield need to update their commitments. Those companies outside of the EEA but where there are adequacy decisions (e.g based in Canada, New Zealand) *should* be ok, but we are waiting for ICO / UK.gov confirmation.
Companies outside of EEA and where there is no adequacy decision need to have other appropriate safeguards in place such as Standard Contractual Clauses. Finally, where the data is within the EEA, but not the UK, the UK Government has said it will recognise EEA countries as having an adequate level of data protection.
Risks occur where companies close their doors to UK data processing as they believe incorrect process are in place.
What should schools be doing?
This is worrying for many schools and although we are told that it *should* be ok, we know we have to plan for the worse scenario.
- contracts or terms with providers
- if any sub-processors based outside the UK are used
- they know to notify you of any changes to data processing agreements or contracts that may be affected as a result of a Hard Brexit
- if the cloud service is mission critical, and if so, what plans are in place in the event of something going wrong under a Hard Brexit
- your school’s Business Continuity / Disaster Recovery plan
MOST IMPORTANT – DON’T PANIC
…and don’t sign for extra services or deals as a result!
There is the hope amongst the Data Protection, Information Security and Privacy communities that there will be additional advice from the ICO and others as the deadline gets nearer.
In summary if we do find ourselves in a ‘No deal’ or ‘Hard Brexit’ scenario, there could be a period of time where the processing of data between the EU and the UK cannot take place because the EU provider will be subject to the GDPR and because the UK is no longer a member of the EU there may be restrictions placed upon the EU provider.