GDPR: What about the effects of Brexit on the British-European VISTA project. Info and advice
The UK’s exit from the European Union has happened and we now need to adapt and take the necessary steps to facilitate the continuation of cross-Channel collaboration.
One major issue concerns the management, hosting, storage and sharing of personal data, i.e. all information that can identify a person, such as name, IP address or bank details, etc. For the VISTA project, this is the data communicated by our newsletter subscribers or by people wishing to register to use the Visitor Intelligence Dashboard.
Some aspects of the data protection regulations remain vague. However, according to the ICO, “the UK GDPR is replacing the existing EU GDPR on 31st December 2020 at 11pm” and “all the main principles, obligations and rights remain in place”. The UK government has confirmed that UK organisations will be able to rely on the same mechanisms as under the EU GDPR.
However, we are still awaiting a decision on the UK’s “adequacy assessment” and have a period of 6 months before the European Commission decides whether or not to accept the UK’s data protection laws.
For VISTA, as a cross-Channel project, the best option is to store the personal data of our project in the EU during this period of uncertainty. Sites signing up to the Visitor Intelligence Dashboard will have their data stored on Amazon Web Services, based in France, rather than in the UK.
What about data transfer between our two countries? The transfer of such data from the UK to the EEA will be allowed under the following conditions:
– an EEA controller or processor will be able to make a restricted transfer of personal data to the UK and EU GDPR will still apply to the sender.
– However, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses). More information about SCCs can be found on the European Commission website.
The best advice we have been given is:
– ensure that a detailed policy is in place for the management of personal data,
– and that controllers and processors of this data are clearly defined.
This may involve rewriting your existing policy and possibly appointing a representative in the EU. For help, advice or further information, the UK government web pages are regularly updated.
If all this seems like a minefield, we are able to manage these changes thanks to the collaboration and good relations built between the British and French partners over the last 4 years of VISTA.