Among the political turmoil as we approach the deadline of the 31st October for leaving the European Union, data protection is now being mentioned. Some schools have received guidance about actions that may need to be taken.
The essentials of the situation are these. Despite us having gone to considerable effort to implement GDPR and to enshrine it within UK law, in the event of a No-Deal Brexit, the UK will not be considered an acceptable country for storing personal data about EU citizens under the GDPR.
It would have been expected that a Brexit deal would have included this ‘Adequacy’ decision.
The question is about the how the GDPR regulates International Transfer of information. It applies when an organisation inside the European Economic Area (EEA) sends data to an organisation in the UK. It does not apply when the data is being provided directly by the data subject themselves.
So, for example if a school in France is providing information about a group of students coming on an exchange trip then this would be a transfer between two data controllers. In contrast, if a student from France registers to attend a college in the UK, that would not count as an international transfer.
What needs to be done?
If we have a No-Deal Brexit you need to consider if a data controller in an EEA country is transferring personal data to you. Examples might be getting funding information about international students or receiving references about members of staff from organisational in the EEA.
The Information Commissioners Office has provided a handy tool to create a contract between controllers to enable this transfer to continue. You can find the tool here and you should definitely consult your data protection officer, who can provide more details.
If you would like further information on GDPR, and how it may affect your education facility, please contact us via our contact form or call 0113 804 2035.