After years of negotiation, the UK finally left the EU on 1 January 2021, but many organisations are no closer to understanding the data protection ramifications of Brexit.
Schools with close ties with the EU, may have to make major changes to the way they process personal data.
Which schools’ data protection requirements are affected by Brexit?
- Those that recruit students from the EU
- Those that appoint staff who are EU residents, such as foreign language teachers
Which schools’ data protection requirements are not affected by Brexit?
Crucially, schools that use EU-based service providers – such as Cloud software – aren’t affected by Brexit. That’s because the UK has ruled that personal data can flow from the UK and into the EU without restrictions. It’s only EU residents’ personal data that is affected.
If you’re among those unsure of your compliance requirements, we are here to help. In this blog, we explain what you need to know about Brexit and EU data transfers.
What does the GDPR say about data transfers?
Although the GDPR (General Data Protection Regulation) has been in effect for some time, its rules were up in the air throughout the Brexit negotiation process, and they still haven’t been finalised.
Until 30 April 2021, EU residents’ personal data can be transferred without any restrictions. In other words, schools and other organisations don’t currently need to do anything differently.
This deadline will be automatically extended until 30 June 2021 unless either party objects or an adequacy decision is reached.
An adequacy decision is an EU ruling that states that a third country’s legal framework provides appropriate levels of data protection.
Countries that receive an adequacy ruling are permitted to transfer personal data into and out of the EEA (EU member states, plus Iceland, Liechtenstein and Norway) freely.
If an adequacy decision isn’t reached, organisations must use one of the appropriate safeguards for data transfers listed in the GDPR.
For schools, this will mean creating SCCs (standard contractual clauses). The European Commission has so far issued two sets of SCCs for data transfers between data controllers, and one set for data transfers between data controllers and data processors.
Meanwhile, the UK has already granted an adequacy decision to data transfers to the EU. As such, there are no additional requirements when you export personal information to an organisation based in one of the remaining 27 member states.
This includes the use of third-party software that is held in the EU, such as a Cloud service provider.
Review the need for an EU representative
The GDPR states that, with the exception of public bodies, all organisations must establish an EU representative if they monitor the behaviour of, or offer goods or services to, EU residents.
Schools aren’t considered public bodies, so this requirement applies for maintained schools and academies and independent schools.
As the name suggests, an EU representative is someone based in the EU who works on behalf of an organisation in a third country.
In the case of organisations based in the UK, this primarily involves serving as the point of contact between the organisation, the supervisory authorities and data subjects.
They’ll do this by:
- Responding to any queries the supervisory authorities or data subjects have concerning data processing;
- Maintaining records of the organisation’s data processing activities; and
- Making data processing records accessible to your supervisory authority.
Most processing activities won’t fit these criteria, because it applies only to regular, high-risk transfers or to the large-scale use of special category or criminal offense data.
So, for example, if you have a handful of students whose parents are based in the EU, this is not enough to trigger the requirement to appoint an EU representation.
However, educational institutes may need a representative if they run an open day or advertising campaign targeting prospective students in the EU.
If you’re unsure whether you need to appoint an EU representative, it’s worth consulting your DPO (data protection officer) or discussing it with a legal expert.
Identifying your lead supervisory authority
An organisation’s LSA (lead supervisory authority) is the public body responsible for data protection.
The UK’s data protection authority is the ICO (Information Commissioner’s Office) – but you can no longer use them for issues relating to EU data transfers, because the UK is no longer an EU member state.
If you process EU residents’ personal data, you must therefore identify the EU data protection body that is most appropriate to your organisation.
Most countries have a single watchdog (except for Germany, which has one for each of its 16 states as well as a federal one), so selecting an LSA is generally a case of determining which country most of your EU pupils or staff reside in and identifying its supervisory authority.
So, for example, if you mostly process Spanish residents’ personal data, your LSA should be the Spanish Data Protection Authority. Fortunately, there’s not necessarily an incorrect option for choosing an LSA; you should instead use your judgement and justify your choice.
Once you’ve selected your LSA, you must determine whether any specific actions are required. You may well be required to register and pay a fee.
You should also review any differences in the way your new LSA approaches GDPR compliance and adjust your practices accordingly.
For example, the Regulation gives supervisory authorities the option to adjust the age at which someone is no longer a minor, and to interpret its rules however it sees fit.
Manage your school or college’s GDPR with GDPR.co.uk
You can simplify your data protection compliance requirements with the help of our GDPR compliance platform.
Developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, we have the knowledge and tools to help educational institutes of all sizes achieve GDPR compliance.
Sign up today to receive a seven-day free trial or contact us to discuss your needs.