There is a new headache on the horizon: how will you manage your data protection compliance if the UK leaves the EU with 'no deal'?
If the Brexit negotiations end without a deal in place, there will be particular concerns for Higher Education Institutions:
- There is great uncertainty on continued participation in Horizon 2020 and Erasmus+
- The ability of research partners to share information across EU institutions is in question
- There will be no certainty on mobility of students and access to EU programmes
- The continued mutual recognition of professional qualifications covered by the current EU rules is in question
The good news is that the GDPR and the UK's Data Protection Act 2018 will remain. The government has confirmed that UK institutions will still be able to transfer personal data to the EEA without further measures. However, for HEIs that receive personal data from partners within the EEA additional safeguards will need to be put in place.
We set out below possible solutions to ensure you remain compliant when transferring personal data.
An Assessment of Adequacy from the EU
An 'assessment of adequacy' is a formal decision by the European Commission confirming that a non-EEA country's data protection measures are equivalent to the EU's. If granted, HEIs can allow personal data to flow between these countries, without additional measures.
It remains to be seen whether the UK will be added to the list of countries with adequate protection, as no assessment will start until the UK has left the EU. However, given that the UK adopted the EU's GDPR it would seem logical for this to happen.
Standard Contractual Clauses
The most likely answer in the short term will be to enter standard contract clauses between the EU and UK entities. The EU standard contractual clauses provide organisations with a set of contractual terms and conditions which ensure that organisations take sufficient steps to meet their data protection obligations, in line with the GDPR.
The clauses can supplement current agreements. However, parties are not able to negotiate or redraft the provisions (other than minor presentational amendments).
Other Implications of Brexit on Data Protection
If you offer goods or services to data subjects in the EEA or you monitor their behaviour, then you will need to appoint a representative in the EEA. This does not apply to public authorities or if the processing falls below a certain threshold. Of particular note is the possible intention that a representative will be liable for non-compliance on the part of the appointing organisation.
HEIs will also need to ensure that their documents are updated to reflect the post-Brexit position.