At the time of writing this article BREXIT is just over 7 weeks away but who knows anymore! It could never happen, it could be delayed or we could leave as planned on the 31st October!
However what happens to your data if we leave with no deal? Well as always, it depends!
First question is, what data do you have?
Depending on the nature of your organisation’s work, it could process business data or personal data. This data might be stored in different locations and potentially in different countries. Understanding what data you have and how you process it is a key responsibility for every organisation at all times, not just when turbulence hits. From your GDPR work you will have a nice list of the systems you use, why you store the data and where it is located.
Second question is, where is that data stored?
In the case of CiviCRM and websites your data will be stored in one of the following locations: Manchester, Maidenhead, Milton Keynes and Slough. So data is never leaving the UK. Microsoft Office 365 have opened UK data locations so if you have an office 365 account most of your data should be in the UK location. However the following Office 365 services aren't in the UK: Sway, Yammer, Whiteboard and Forms but I doubt many people are using this and even less so for personal data. Google GSuite Basic doesn't specify where your data will be held, Business and Pro versions do allow you to specify US or EU but hasn't limited the locations to the UK as yet.
Last question, what do I need to do?
If you only have data stored in the UK and clients who are living in the UK you won't see any changes to your data storage requirements.
However a lot of people might be working globally with clients and storing data on those people. So what happens then? Well to be brutally honest, we are not sure. The current thinking is as long as you are being GDPR compliant and working within the Data Protection Act (DPA) 2018 you "should" be fine but as the UK will turn into a "Third Country" to the EU post a no-deal Brexit then there are no guarantees. However if you are following guidelines, asking for permission from people to store data and telling them where it is being stored, then you are doing everything you can.
The ICO has some good information and the 6 steps required to mitigate any issues post Brexit: https://ico.org.uk/media/for-organisations/documents/brexit/2614575/leaving-the-eu-6-steps-to-take-final.pdf
As ever, companies which act in good faith, recording and justifying any changes to processes and decisions, will be less vulnerable than those which do not!