With all the Covid19 issues that are happening at the moment it is all to easy to forget that we are leaving the transition period in less than 3 months! This means that unless we sign some sort of trade deal the UK becomes a third country in regard to data transfers from the European Union.
So what does this mean?
If the transition period ends before the EU Commission makes an adequacy decision about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government plans to incorporate it into UK law at the end of the transition period. If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance at the end of the transition period.
So what about data on EU Subjects?
Well if you are getting the information directly from the subject themselves, signing up to a newsletter or becoming a member then none of the below will concern you. The ICO state:
If someone is sending you their own personal data, you do not need to use SCCs or any other transfer safeguard. GDPR does not restrict transfers from the data subject themselves. However, you should seek advice on your data protection obligations and their rights under the EU GDPR regime in the country they are in.
However, if you are a UK organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period. If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations at the end of the transition period. You may need to designate a representative in the EEA.
There is a lot of information around this at the ICO and you can follow the links below:
-
Guidance for UK businesses and organisations who have no contacts or customers in Europe.
-
Guidance for UK businesses and organisations who send or receive data to or from Europe.
-
Guidance for UK businesses and organisations with a European presence or with European customers.
What do I need to do with data collected before the end of the transisiton period?
If the UK does not receive adequacy decisions by the end of the transition period, the data protection provisions set out in the Withdrawal Agreement will come into force. This means organisations in the UK will need to comply with EU data protection law (as it stands on 31 December 2020) when processing personal data that was gathered before the end of the transition and relates to individuals who live outside the UK. You will also need to consider the provisions of the Withdrawal Agreement for personal data processed in the UK after the transition period ends on 31 December 2020.
The ICO recommend that you take stock of personal data you hold so that you can distinguish between data acquired before the end of the transition period and after.
All in all this might be a useful time to do a sense check of the data you hold, why you hold it and when you captured that information.
In CiviCRM whenever a contact is created it logs the date so you can easily see when a contact has been added to your database and by what method.
Interesting times.