• Contact Us

Brexit and Data Protection - What Do Universities Need to Do Now?

on Monday, 11 January 2021.

One of the biggest mysteries (for data protection lawyers at least), was what would happen to personal data transfers from the EEA to the UK after we left the EU. What does the Brexit deal mean for data protection compliance?

UK-to-EEA Transfers

The ability for universities and other UK organisations to send personal data to the EEA without needing additional safeguards has not changed. This means that, unless the UK changes its new domestic data protection laws, those transfers can continue as they are now.

End of the 'One Stop Shop'

When part of the EU, UK organisations benefitted from the 'one stop shop' arrangements, which meant that if your processing affected individuals in more than one state, you only had to deal with one regulator. As of 1 January 2021, the UK no longer benefits from this, although negotiations are still underway to allow the UK to potentially benefit in the future. In the meantime, UK organisations will not be able to use this mechanism until further notice.

An Extension Period for EEA-to-UK Transfers

One of the biggest uncertainties in data protection terms was how transfers of personal data from the EEA to the UK would be treated post-Brexit. As of 1 January 2021, the UK is effectively a 'third country' in data protection terms, meaning that transfers in from the EEA would require additional safeguards under the GDPR.

The deal as agreed gives a further six-month extension for data flows, meaning for the moment there will be no change to how data flows into the UK from the EEA.

This extension is to allow time for the EU to debate whether the UK will receive an adequacy decision. Such a decision is a declaration that the UK's law provides adequate safeguards for personal data and so no additional actions are required when transferring data into the UK.

The extension is dependent upon the UK not making any changes to the new data protection regime without the approval of the EU. If that happens, the extension period ends, and EEA nations will have to put in place additional safeguards in order to lawfully transfer personal data to the UK.

There is also a four-month 'break clause' meaning that the extension period will last for four months, with an automatic addition of a further two months unless the UK or the EU want the period to end after the four months.

Coronavirus HE blogs

What Do Universities Need to Do in Respect of EEA to UK Transfers?

For the moment - sit tight. Unless the UK makes changes to its new UK GDPR and/or the Data Protection Act 2018 without EU approval, no additional action is required until at least the end of April.

If, either at the end of April or at the end of June, there is no adequacy decision, then any EEA-based organisation sending personal data to the UK will have to consider the use of additional safeguards. The most practical in most cases will be the Standard Contractual Clauses, although each organisation will also have to consider whether other, additional, mechanisms need to be in place to safeguard data if the UK is not considered "safe". What that will look like depends upon the type of data being transferred, but it is likely that there will be additional guidance on this before then.

What Should You Do Now?

If you receive personal data from the EEA, nothing will change for the moment, but be prepared for additional contracts/steps if there is no adequacy decision in the next four to six months.

If you have any questions about your data protection obligations following the end of the Brexit transition period, please contact Vicki Bowles on vbowles@vwv.co.uk or 0117 314 5672.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input