Action Required: BREXIT & the transfer of data to/from UK in the event of no-deal

Schools need to be prepared and ready for a no-deal Brexit

The EDPB has just published adopted (12th February 2019) guidance on the requirements on organisations processing personal and sensitive data to and from the UK.


Many of the information systems that British and American curriculum schools outside the UK use are domiciled in the UK. Meaning a transfer is likely to occur when using UK based cloud platforms or transferring personal data to an organisation in the UK through other means. In preparations for a no-deal Brexit, your school (if based outside the UK) should consider implementing the recommendations of the guidance. If your school does not, and there is a no-deal, you can assume your school is not compliant with the regulations. Likewise, if your school is based in the UK and transfers data to an organisation in the EU/EEA, you will need to consider the UK transfer rules.  


There are five required steps set out by the EDPB that your organisation needs to adopt:

  1. Identify through your data map what processing activities will imply a personal data transfer to the UK

  2. Determine, by documenting, the appropriate data transfer instrument for your situation

  3. Implement the chosen data transfer instrument to be ready for 30th March 2019

  4. Indicate in your internal documentation that transfers will be made to the UK (or to EU/EEA if a UK school)

  5. Update your privacy notice accordingly and inform individuals

For example, those clients that work with 9ine may transfer personal data to us in the course of their business. In following the above process, the client would:

  1. Detail the processing activities when personal data could be sent. For example, supporting on data mapping, compliance with the GDPR, or mitigating the impact of a cyber security breach - these services are detailed within our proposals

  2. Rely upon the standard clauses in our consultancy services contract that reflect those approved by the European Commission - this would be the data transfer instrument

  3. The majority of clients working with 9ine have been in contract with these terms since May 25th 2018 and are reflected in the signed proposal for services

  4. Capture the processing activity (above) within their data mapping

  5. If required, and not already covered, reference in the privacy notice that transfers will occur to the UK (or to EU/EEA if a UK school).

For schools working with 9ine on DPO Essentials, we will issue a standard 'data map' based on our services, mitigating the need for you to do this. You will also receive guidance in terms of actions and dates to achieve those by. Lastly, we will be prioritising Controller to Processor agreement reviews of UK based service/technology providers (and for EU/EEA providers for UK schools) and available via the DPO Essentials service.


What your school should be doing given the adopted guidance

  1. Assess where transfers take place to/from the UK. This includes all information systems or EdTech platforms. You need to do this by completing data mapping. If you have not completed this for all areas of your school then you will need to quicken the pace.

  2. For each processing activity where a transfer takes place, follow steps 1 through 5. This will require reviewing the supplier's contract

  3. Where required, put in place appropriate Controller to Processor agreements

This guidance is critical for your school to demonstrate compliance with the GDPR and should not be ignored.


We will be running a webinar in the week after next to support international schools in complying with this adopted guidance. 



9ine’s DPO Essentials is an annual service offering a professional, independent perspective when evaluating a breach. The service also provides access to a suite of education specific documentation and policies to evidence compliance with data protection law. We use our strong sectoral knowledge and evaluative expertise to provide feedback based on the assessed severity of a breach, and to advise on the associated risks and recommended actions to be taken. If advised to report the incident to your Supervisory Authority, 9ine will ensure it supports any ongoing activity you will need to undertake.

9ine's Incident Response - Free to Register: Through our service desk, we have the expertise in place to respond to any data protection issues or cyber incidents you may have. Whether that’s a personal data breach, phishing or cyber attack, malware incident or SAR, we will triage and assess the severity of any threats free of charge - there is only a cost if you employ our services for undertaking the mitigating actions. Register your interest for the service here and one of our consultants will get in touch:

For more information on 9ine's security initiatives and how we support with reducing security threats in schools:

Get in Touch

New call-to-action

Let’s Stay in Touch

Subscribe to our newsletter to receive product announcements & other updates.