As you can’t fail to notice, the UK is currently experiencing somewhat of a politically uncertain time.
At present, the country is expected to leave the EU on 31st October with or without a deal. Regardless of any personal views on the matter, it’s a scenario that your non-profit organisation needs to be prepared for.
You probably have many questions regarding your data and how this will be affected by Brexit.
Take a look below for some answers:
How will a No-Deal Brexit Affect Data Transfers?
When the UK ceases to be a part of the EU, it will be considered a third country under GDPR. Under GDPR, data controllers and processors can only transfer data to a third country if the EU has deemed such country’s laws to provide an adequate level of protection (an “adequacy decision”), if there are appropriate safeguards in place, or there are extenuating circumstances. If the UK leaves the EU without a deal, and the EU has not adopted an adequacy decision, then your organisation might need to put appropriate safeguards in place.
What Does That Mean?
Data transfers from UK organisations to EU organisations will not be affected. Since the data protection laws in the UK and EU are so aligned, the UK government will continue to allow the free flow of data from the UK to the EU.
Data transfers from EU organisations to UK organisations will need appropriate safeguards, like Standard Contract Clauses (SCCs). Organisations in Europe (in the EEA) sending personal data to an organisation in the UK must comply with GDPR rules on international transfers of personal data. The EU’s (SCCs) are one of a few safeguards that you can use to comply, and the easiest and most expedient to use.
Data transfers from UK organisations to the US will not be affected. UK organisations will continue to be able to transfer personal data to US organisations participating in the Privacy Shield.
What Is Blackbaud Europe Doing to Prepare?
- We’ve reviewed our data flows to identify where we transfer data to and from the UK and EU.
- We’re updating our Privacy Shield notices for our US entities to expressly state that our Privacy Shield commitments apply to transfers of personal data from the UK.
Blackbaud Europe is a UK entity, so we’re making SCCs available here to all our customers located in the EU. This is a form contract drafted by the European Commission for data transfers from controllers in the EU to processors outside the EU. It will allow EU customers to continue to send personal data to Blackbaud after a no-deal Brexit, in compliance with GDPR.
What Do I Need to Do?
Review your organisation’s data flows and follow your supervisory authority’s guidance (ICO’s is here and the European Data Protection Board’s is here). If you are an EU customer, you can enter into SCCs with Blackbaud Europe to ensure that data transfer to us will not be restricted.
What if I’m Hosted in the EU?
The only data transfers that will be restricted in the wake of a no-deal Brexit are from organisations in the EU sending personal data to an organisation in the UK, if SCCs aren’t in place. Blackbaud hosts our EU and UK customers in data centres in the EU, but the hosting providers we contract with are actually US organisations — like Microsoft Corporation — with physical locations in the EU. We have data protection agreements, including SCCs, in place with our hosting providers. We don’t believe that our use of subprocessors established in the US, even though the data is technically stored in the EU, will be a restricted transfer in the event of a no-deal Brexit.
We are taking every step to ensure our processes are in good shape for whatever happens, and your organisation should too.
If you have any further questions, we are happy to explain further. Please get in touch at firstname.lastname@example.org