Steven Roberts is head of marketing for Griffith College. A certified data protection officer and Fellow of the Chartered Institute of Marketing, he writes on strategy, marketing and data protection.
The opinions expressed are the author’s own. They are not intended as a substitute for seeking professional legal advice.
Third level institutions have undertaken substantial work over the past 15 months to ensure compliance with the General Data Protection Regulation (GDPR), following its introduction in May of last year.
During that time, public awareness of data protection and consumer privacy has risen substantially. The recent annual report from the Data Protection Commission bears this out. A total of 4,740 valid data breaches were notified to the DPC in 2018, a year-on-year increase of 70%.
In addition, the Commission received 4,113 complaints in 2018, representing a 56% increase on the previous year.
Brexit now poses further challenges for Irish schools, colleges and universities. For example, some may currently outsource their HR, IT or payroll functions to UK based organisations. Others may transfer student data as part of educational agreements with partner institutions in Britain.
Brexit will affect all of these arrangements. In this article, I look at some of the data protection implications of Britain’s exit from the EU, and the steps institutions can take to ensure they remain GDPR compliant.
A number of potential scenarios
One of the most difficult aspects of Brexit is the level of uncertainty it presents; a range of scenarios remain plausible. These include at least three possible outcomes, namely:
1. A ‘no deal’ Brexit, whereby the UK exits the EU without an agreement on 31st October 2019;
2. A deal is agreed between the UK and EU, with an orderly transition period;
3. Another extension to the deadline is agreed and Britain’s exit is delayed for a further period.
It is difficult for management and executive teams to prepare fully as each scenario presents its own set of data protection challenges. A ‘no deal’ Brexit is undoubtedly the least favourable outcome. This would mean Britain immediately acquires the status of a ‘third country’ under GDPR. It would then have to seek an ‘adequacy decision’ from the EU.
This is where the European Commission decides a country meets adequate levels of data protection. Such decisions are in place with a number of countries, with Japan a recent example.
However, it is unlikely to provide a quick solution. Data privacy experts estimate the process could take up to 18 months.
In the case of the latter two scenarios, a deal with an orderly transition or a further delay for an unspecified period, each will essentially see a continuation of the current status quo during that time, with Britain continuing to adhere to GDPR. With the complication of differing timelines as to when compliance preparation would need to be completed.
Transfers of personal data to the UK
Institutions sending personal data to the UK will need to review existing transfer arrangements to ensure these remain GDPR compliant. Standard Contractual Clauses present one of the simplest solutions.
These are model data protection clauses approved by the EU. When included in a legally binding contract, they allow for the free flow of personal data when embedded in a legally binding contract.
The EU is currently developing other mechanisms as part of GDPR. This includes codes of conduct and certification schemes. However, both are still under development and are not an immediate option to consider.
Binding Corporate Rules (BCRs) are listed as another alternative option under GDPR; however, it is only applicable for businesses with a presence in multiple countries, typically multinationals. As such, it will not be relevant for the vast majority of educational bodies.
Derogations exist under GDPR, and could provide a short-term option in the event of a no-deal Brexit. There are six possible derogations to consider:
If explicit consent has been obtained from the data subject to carry out the transfer of data;
If it is required for completion or performance of a contract;
If it is in the public interest;
If a legal obligation exists;
If it is in the vital interest of the data subject;
If the institution can claim a legitimate business interest.
These come with some limitations. The European Data Protection Board advises that derogations must be ‘interpreted restrictively’ and used mainly for activities that are ‘occasional and non-repetitive’.
The UK has advised it will transpose existing GDPR requirements into new laws, once Brexit has taken effect. While this will assist institutions in Britain sending personal data outward to the EU, it will not affect the EU’s designation of the UK as a third country.
Institutions must notify students, employees and suppliers if their data is being transferred outside the EU. As part of this process, privacy policies and statements should also be updated.
In spite of recent announcements from new prime minister Boris Johnson, there remains a continued lack of clarity as to if and when Britain will leave the EU.
Institutions must ensure that post-Brexit GDPR compliance remains a priority issue over the coming months.
The education sector needs to use the time between now and 31st October to ensure that adequate preparations are put in place to cater for each of the three potential scenarios outlined.
There are increased levels of consumer awareness around data privacy and we are also now seeing the first large fines across Europe for GDPR breaches. It is easy to succumb to Brexit fatigue.
However, schools, colleges and universities that fail to have adequate safeguards in place risk reputational and financial implications that would arise from non-compliance.