The end of 2020 was monumental in terms of the UK exiting the EU, with Christmas Eve seeing an agreement deal following 10 months of negotiation and then New Year’s Eve marking the end of the transition period. With the UK adopting UK GDPR (which is essentially the same as the EU version) you’d be forgiven for thinking that there’s nothing else to discuss when it comes to data protection and Brexit. But the real issue now, even if you’re a housing association that doesn’t do business in Europe, is data transfer between these two states. Here Clare Paterson of CP Data Protection talks us through the implications of Brexit and why you need to have conversations now so you don’t get caught out later.
“A lot of people are asking me at the moment whether my clients are heavily focused on Brexit, but to be honest they’re not. On the whole governance teams are so focused on firefighting that it’s only on the periphery of their current concerns. But it’s definitely one to watch as Brexit certainly has the potential to make things tricky when it comes to data transfer between the EU and the UK.
If you’re in the EU, you’re subject to EU GDPR and those rules say you cannot send information outside of the EU unless certain criteria are met. Now, strictly speaking the UK doesn’t currently meet those criteria and one reason for this is that our Government is still seeking an adequacy decision. Adequacy decisions, already secured by the likes of Canada, Switzerland, New Zealand and others, are where the European Commission determines whether a country has an adequate level of data protection, enabling personal data to be transferred lawfully.
Now there’s no need to panic just yet. As part of the 2020 agreement a four to six month grace period has been applied, so that all data transfer within that timeframe should be treated the same as pre-Brexit. But that’s not preventing some doubts being raised about the long term positon by the data protection community. There’s a chance that data transfer could become a sticking point in the near future.
So what has this got to do with housing associations who only own and manage homes in the UK?
“The main way this will affect housing associations is if they use software providers who store their data in servers that are physically based in the EU. So for example, your housing management software servers are located in France. As a customer’s details are entered onto the housing management system by one of your colleagues, it’ll ping over to France – which is absolutely OK as the UK have essentially approved the EU. But then when you want to run a report or read that information again it’s pinging back from France to the UK. So the housing management system providers should be questioning whether they should send that data to the UK, even though it’s your data in the first place. So you can start to see how it may get sticky.
If the UK doesn’t secure an adequacy decision, European companies transferring personal data to the UK could and should introduce Standard Contract Clauses (SCCs), but they only work if the organisation sending the data is the Data Controller and in this example they’re a Processor.
With this in mind there’s been talk of altering contracts and making Processors Controllers, but this feels like a very confusing scenario that could be legally challenged. Their other options are to withdraw their services from the UK or they could purchase server space in the UK to use with their UK clients.
What should Housing Associations be doing just now?
Until this gets ironed out there’s one really important thing housing associations can be doing to prepare and that’s to understand where your data is held. It’s important to be having those conversations with your software providers now, but theoretically this could equally apply to archived document boxes that might be stored in the EU. Once you’ve done your research, undertake a risk assessment based on these conversations to understand your options.
There’s no scheduled date for the adequacy decision, but it won’t be before April and it won’t be any later than June 2021 so for now we wait and see, but my advice would be to get ahead and get prepared. Assess the risks you’d be facing if we don’t get an adequacy decision, and have a plan B in hand if the risk assessment suggests you need one. Let us know if we can help with your assessment or planning.”
Clare Paterson has over 20 years of experience in quality assurance and risk management, including around nine years specialising in data protection for a major housing association. Focusing on providing advice to the third sector, Clare launched CP Data Protection with one clear objective – to offer businesses accessible, real world advice and training on data protection issues. For more information visit https://cpdataprotection.com/ or you can directly book some time with Clare here https://cpdataprotection.com/consultancy/