Here are the questions you’ve been asking about the UK GDPR, or the UK General Data Protection Regulation, and what it means for schools.

 

Why is there now a UK GDPR?

 

As a result of the EU exit, which was completed on 1 January 2021, the UK needs to have its own data protection regulations written in UK law. Under the European Union (Withdrawal Agreement) Act 2020, the previous GDPR, which applied to all EU countries, has now been brought into UK law as the UK GDPR.

The Information Commissioner’s Office (ICO) remains the UK’s independent authority on data protection.

 

Which regulations do schools in the UK need to follow?

 

There are now two GDPR documents schools in the UK need to be aware of: the UK GDPR and the EU GDPR. The UK GDPR and the EU GDPR are substantively very similar; however, as data controllers or data processors, schools should be aware of the distinction. The Data Protection Act (DPA) 2018 continues to apply to data transferred within or from the UK.

The new regulations apply to data controllers and processors according to the circumstances described below.

Data controllers and processors follow the UK GDPR (and the DPA 2018) where:

  • As UK data controllers, they collect, store or process the personal data of individuals residing in the UK.
  • As non-UK data controllers, they offer goods or services to, or monitor the behaviour of, UK residents.

Data controllers and processors follow the EU GDPR where:

  • They collect, store or process the personal data of individuals residing in the EU.
  • As non-EU data controllers, they offer goods or services to, or monitor the behaviour of, EU residents.

 

What actions do schools need to take?

 

Schools that do not transfer data within the EU or EEA should face fairly minimal disruption; however, to continue lawfully sharing personal data, they are advised to:

Schools that transfer data within the EU and EEA should consider some further steps, including the following:

  • Read the ICO’s advice on data protection and the EU GDPR – they may need to make some changes, e.g. appoint an EU representative.
  • Reassure people with whom they share personal data in the EU and EEA that they can continue to do so lawfully, since the UK continues to allow personal data to be sent from the UK to the EU and EEA.
  • Identify instances where data is received from the EU and EEA and, for each incident, identify who the data controllers and processors are, and where the data is stored.
  • Consider whether Standard Contractual Clauses (SCCs) are suitable; for example, if a data controller is based in the EU and/or EEA.
  • In addition to any existing contracts, schools need to ensure that any new contract put in place that includes the processing of personal data in the EU provides the additional safeguards required.
  • Ensure that all documentation, such as data protection impact assessments (DPIA) and privacy notices, are up-to-date, to reflect any changes that have been made to working practices.

 

Bibliography

DCMS, DBEIS, OCS and ICO (2020) ‘Using personal data in your business or other organisation from 1 January 2021’ <https://www.gov.uk/guidance/using-personal-data-in-your-business-or-other-organisation-after-the-transition-period> [Accessed: 26 February 2021]

GOV.UK (2021) ‘Brexit: new rules are here’ <https://www.gov.uk/transition> [Accessed: 26 February 2021]

IT Governance (2021) ‘Data protection and Brexit’ <https://www.itgovernance.co.uk/eu-gdpr-uk-dpa-2018-uk-gdpr> [Accessed: 26 February 2021]

IT Governance (2021) ‘The GDPR (General Data Protection Regulation) – Overview’ <https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation> [Accessed: 26 February 2021]

 

 

Related terms: data protection, brexit, EU exit, gdpr