In June 2016, the United Kingdom narrowly voted to leave the European Union. After nearly three long years of negotiations, Brexit is becoming a reality. On Jan. 29, the European Parliament voted to end the U.K.'s membership in the EU.
In response, the U.K. Information Commissioner's Office released a statement on Brexit implementation, noting that the transition period will run until the end of December 2020 and "it will be business as usual for data protection." But how prepared are privacy pros for Brexit?
In the most recent "IAPP-EY Annual Governance Report," conducted in mid-2019, we asked privacy professionals if they are ready for the impact of Brexit and, if so, what data transfer mechanisms they plan to use once Brexit is in full effect. Here’s what we learned.
Fifty-six percent of respondents answered their organization would likely feel the impact of Brexit. For EU-based respondents, that number was even higher: 68% indicated their organization would be impacted. Of the respondents that expect to be affected by Brexit, only 6% feel their organization is “very prepared” for the change. Most respondents indicated their organization is either “moderately prepared” or “a little prepared,” with a handful of respondents feeling very unprepared to deal with the U.K. withdrawing from the EU.
Although many respondents don’t anticipate Brexit will have a major impact on their organization’s privacy team, a few respondents believe the privacy team will need to establish a new supervisory authority. In addition, a small percentage of respondents indicated their organization will create a new U.K.-specific privacy team. The effects of Brexit can be felt most deeply by those organizations that have their EU main establishment in the U.K. For those organizations, most do not plan to move this office out of the U.K. The few planning to move out name derogations and a good relationship with the SA as important factors to be taken into consideration when choosing a new location. So far, Ireland appears to be a popular location for organizations.
Read more about Brexit and data transfers in "New proposed Brexit deal reached, but what about data transfers," by IAPP Editorial Director Jedidiah Bracy, CIPP
To better understand the results of the survey and how privacy teams are getting ready for the withdrawal, the IAPP spoke to Gabe Maldoff, who recently transitioned from Bird & Bird in London (where he worked with companies grappling with the data protection impacts of Brexit) to Covington & Burling in Washington. Maldoff offered insight on what steps organizations should be taking to prepare for Brexit and opined that organizations are preparing for the withdrawal at a reasonable pace. Whereas Brexit will likely only impact data transfers from the EU to the U.K., organizations should focus first on understanding whether they transfer data from the EU to the U.K. either internally or externally.
Next, organizations should map out the transfers and, assuming the U.K. does not gain EU adequacy status, implement appropriate safeguards to govern those transfers aligned with EU and U.K. legal requirements, such as standard contractual clauses. Most organizations appear to be in the process of understanding both the internal and external data transfers right now and may even be incorporating the appropriate language into new vendor contracts to prepare for the withdrawal. Organizations are taking this pragmatic approach instead of renegotiating existing vendor contracts because of the uncertainty surrounding whether there will be a withdrawal deal. The process to update contracts is long, tedious and expensive, so organizations are hesitant to jump ahead before knowing all the facts.
Maldoff further explained organizations with their main establishment in the U.K. will face another major decision. Under the EU General Data Protection Regulation, in the event of cross-border incidents, an organization only needs to interact with the data protection authority where its main establishment is located. On the other hand, if an organization does not have a main establishment, it must answer to multiple DPAs. Separately, organizations that do not have any establishment in the EU but are still subject to the GDPR are required to appoint a representative in the EU to act as a liaison. Once Brexit takes place, the U.K. Legal Act will be implemented in the U.K., bringing into U.K. domestic law requirements that will be substantively equivalent to those of the GDPR. This includes the requirement related to the designation of a “representative” where no establishment exists. Therefore, once the U.K. is no longer subject to EU law, organizations that have no establishment in the EU or in the U.K. will be required to have a representative in both the EU and U.K.
Organizations that designated their U.K. office as their “main establishment” under the GDPR will need to decide whether to create a main establishment in the EU. This is something that must be carefully thought through as creating a new main establishment in the EU could require a significant investment for many organizations, and the final decision will depend on the resources available to each organization. It is more likely organizations established in the U.K. will remain there and appoint a representative in the EU.
Now that a deal has finally been struck, organizations can at least have some certainty that they can move forward in a post-Brexit world. Hopefully some preparations have already been underway.
If you want to comment on this post, you need to login.