At Data Protection Education, we are currently working on contacting all school suppliers with the aim of receiving all of their privacy policies and data agreements to ensure they are being GDPR compliant.
With that being said, an article from The Business Desk regarding the potential changes to data flow between the UK and EU as a result of Brexit stood out to me, as many of you will have suppliers outside of the UK, and therefore may be impacted by any changes to data flow regulations. After Brexit, there was a real concern that there would be changes to how data is allowed to flow between the UK and EU, which would create a difficult process for those involved. The decision on whether there would be any changes would be based on whether the EU deemed the UK’s current flow of data processes adequate or not.
It has thankfully now been decided though that the UK is an adequate country for data flow, and therefore data can flow freely between the UK and EU as it has been so far. This means that any processes currently in place with suppliers outside of the UK and in the EU can remain how they are. Despite this decision, there have been challenges to it being adopted. For example MEP’s have expressed their concern for how the UK would use data in the future and. Have urged for regulations to be imposed to restrict future use of data for certain uses. There is also a general mistrust of how each party’s residents’ data will be used by the other. The recent case of Schrems II in 2020 is a good illustration of how different countries are wary of data storage in non EU countries. If you wish to read more about Schrems II and its possible impacts, particularly in cloud data storage and any potential future impacts the decision may have, you can visit https://dis-blog.thalesgroup.com/security/2021/04/29/what-is-schrems-ii-and-how-does-it-affect-your-data-protection-in-2021/ for a good summary of the case.
After the United Kingdom left the European Union, EU laws relating to Data Protection (GDPR) were no longer applicable to UK law. However, with the large push of GDPR compliance in 2018 with the Data Protection Act, the Act has incorporated GDPR, meaning it still applies post Brexit. As a result of the agreement the UK has made with Brussels, there will be no major changes in how data flows between the two, meaning that you shouldn’t notice any changes when continuing to send data to suppliers who operate in the EU under existing partnerships, or when contracting with new ones.
Something to look out for over the coming months however is the outcome of The International Commissioner’s Office’s decision to come up with its own bespoke UK standard contractual clauses for international data transfers, which it announced in May 2021. A quote from the ICO’s deputy commissioner Steve Wood outlines the ICO’s planned creation of UK standard clauses:
“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer.”
So to summarise what this means for your school now, as well as going forward in terms of sending data to the EU (no matter what form that may take); you should notice little to no changes in how you send data to suppliers due to the UK’s agreement with the EU, and Brussels’ ruling that the UK is an adequate country for data sharing. However it would still be beneficial to look out for the ICO’s progression relating to the creation of UK standard clauses for international data transfers over the coming months on their website, as this could impact the way you share data with suppliers, as well as the potential changes to future contractual agreements with them.