The UK formally left the European Union on December 31st 2020. You probably have questions regarding your data and how this will be affected by Brexit.
Take a look below for some answers:
How does Brexit Affect Data Transfers?
When the UK ceases to be a part of the EU, it will be considered a third country under GDPR. Under GDPR, data controllers and processors can only transfer data to a third country if the EU has deemed such country’s laws to provide an adequate level of protection if there are appropriate safeguards in place. To date, the deal has not included this 'adequacy decision'. However, transfers of personal data from the UK to the EU (and from the UK to other jurisdictions recognised by the EU as having adequate data protection) will continue to be permitted by the UK for a maximum 'grace period' of six months, without requiring additional measures by your organisation.
This statement from the ICO explains further.
What Does That Mean?
Data transfers from UK organisations to EU organisations will not be affected for now. Since the data protection laws in the UK and EU are so aligned, the UK government will continue to allow the free flow of data from the UK to the EU.
Data transfers from EU organisations to UK organisations will need appropriate safeguards, like Standard Contract Clauses (SCCs). Organisations in Europe (in the EEA) sending personal data to an organisation in the UK must comply with GDPR rules on international transfers of personal data. The EU’s (SCCs) are one of a few safeguards that you can use to comply, and the easiest and most expedient to use.
Blackbaud Europe is a UK entity, so we’re making SCCs available here to all our customers located in the EU. This is a form contract drafted by the European Commission for data transfers from controllers in the EU to processors outside the EU. It will allow EU customers to continue to send personal data to Blackbaud after a no-deal Brexit, in compliance with GDPR.
What Do I Need to Do?
Review your organisation’s data flows and follow your supervisory authority’s guidance (ICO’s is here and the European Data Protection Board’s is here). If you are an EU customer, you can enter into SCCs with Blackbaud Europe to ensure that data transfer to us will not be restricted.
What if I’m Hosted in the EU?
The only data transfers that will be restricted in the wake of Brexit are from organisations in the EU sending personal data to an organisation in the UK, if SCCs aren’t in place. Blackbaud hosts our EU and UK customers in data centres in the EU, but the hosting providers we contract with are actually US organisations — like Microsoft Corporation — with physical locations in the EU. We have data protection agreements, including SCCs, in place with our hosting providers. We don’t believe that our use of subprocessors established in the US, even though the data is technically stored in the EU, will be a restricted transfer in the event of a no-deal Brexit.
We are taking every step to ensure our processes are in good shape for whatever happens next, and your organisation should too.
If you have any further questions, we are happy to explain further. Please get in touch at firstname.lastname@example.org