As you will be aware, the UK will, in all likelihood, be leaving the European Union in March 2019. As a company, ChurchSuite is based in the UK, where we securely store all customer data using Amazon Web Services (AWS) and nothing in this regard will change for any customers using ChurchSuite. In order to ensure that we remain fully compliant with GDPR legislation in the event of a "no deal" Brexit, we have been investigating, with a specialist European Data Protection lawyer based in Germany, how this could affect the cross-border flow of personal data between the IL and EU, in addition to the UK storage of EU data. We have sought expert advice in order to ensure that we help our customer remain as compliant as possible.
In essence, the professional advice that we have received is that EU organisations storing data in the UK and transferring data between UK-based servers and the EU "post Brexit" will continue to be entirely acceptable and lawful.
Here's what our advisory lawyer says - we've included all the detail for those who will find this helpful...
"The GDPR is still in force in the UK and further developments have to be awaited to be able to make binding statements about the future. So far it is still expected that a "deal" will also cover data protection issues. In the current draft, which is under discussion, the current data protection laws would continue to be applied until 2020 for a transitional phase.
If there is a "no deal" Brexit, the UK will be a 'third country' requiring a decision by the EU Commission to confirm that UK laws provide adequate protection for personal data. Considering that the GDPR is currently in force in the UK, one should believe that the EU Commission cannot come to a negative decision; however, the EU Commission stresses that there is no automatism.
Even without such a confirmation by the EU Commission of 'adequate protection', the transfer of personal data is still possible (Art. 46 GDPR: Transfers subject to appropriate safeguards). The appropriate safeguards are listed under Art. 46 (2) and may be provided for, without requiring any specific authorisation from a supervisory authority, by:
a legally binding and enforceable instrument between public authorities or bodies;
binding corporate rules in accordance with Art. 47;
standard data protection clauses adopted by the EU Commission in accordance with the examination procedure referred to in Art. 93(2);
standard data protection clauses adopted by a supervisory authority and approved by the EU Commission pursuant to the examination procedure referred to in Art. 93(2);
an approved code of conduct pursuant to Art. 40 together with binding and enforceable commitments of the data controller or data processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights: or
an approved certification mechanism pursuant to Art. 42 together with binding and enforceable commitments of the data controller or data processor in the third country to apply the appropriate safeguards, including as regards data subjects' right.
Finally, in addition to the GDPR, there is a national German Data Protection Law, but it does not address the Brexit situation any differently from the GDPR requirement stated above."
For the moment, no matter what the outcome of the Brexit negotiations, there is currently no legal problem with continuing to securely host your data in the UK, as is done at present. We will continue to monitor the situation in the coming weeks and months and we'll continue to seek expert counsel along the way. We're also working on contingency plans that would enable us to relocate EU customer data to an AWS data centre within the EU, should this be required for GDPR compliance.
In the meantime, we want to reassure you that your data is being stored securely and lawfully, and that we are taking every measure neccesary in order to continue to serve churches in the UK, the EU and worldwide after Brexit.