The impact of the United Kingdom leaving the European Union on 31 January 2020 (Brexit) on UK/EU personal data flows and General Data Protection Regulation (GDPR) compliance will soon become clear. The short transition period, which ends on December 31, 2020 creates a buffer zone, but companies and organisations must plan for various outcomes on 1 January 2021 and beyond. Individual rights, supply chains and the flow of trade could be affected. Boards and leadership teams need clear strategy, creativity, communication and responsiveness to adapt to the emerging political, economic and data realities. Target operating models for brexit-affected personal data flows should be agile and pragmatic.
1. Degrees of Divergence
Boards and leadership teams must closely monitor how much regulatory divergence the UK and EU accepts. Divergence is inevitable, it is the natural consequence of the UK leaving the EU. However, the key question is a political and economic one: what will be the extent of UK regulatory divergence from the EU in the final trade agreement (if one is agreed)? Data is at the heart of global trade, innovation and is increasingly crucial in bilateral trade deals. Current political and economic positioning will define personal data flows and GDPR compliance long into the future. The EU asserts that a non-member should not have the same rights and access to its internal market as EU members but prefers a regulatory level playing field with the UK. The UK insists that it seeks regulatory freedom to govern itself free from the EU single market, institutions, systems, laws and courts. Where will both sides place data protection in their list of priorities? Is there room for enlightened pragmatism on personal data governance?
2. Personal Data in Supply Chains
Modern supply chains are increasingly dynamic, empowered by mergers and acquisitions, low interest rates on borrowing for corporate expansion, investments from sovereign wealth funds, hedge fund-backed takeovers and tax-friendly globalisation. Supply chains can change quickly, data ownership can be transferred instantaneously, and rapid data sharing enabled by 5G and cloud data storage. Brexit complicates this picture even further. Since the 2016 brexit decision, many businesses and organisations have been in a state of constant reorganisation. Staff have been relocated, new EU businesses established, capital and assets redirected to the EU and business models modified. Boards and leadership teams should be clear about their priorities and communicate these to their supply chain partners. They should also risk assess their suppliers based on value, impact and the risks of change. Data Protection Officers and Privacy Leaders should plan to update data protection notices, data protection polices, contract clauses about GDPR and schedule ongoing supply chain reviews.
3. UK Adequacy Decision
The EU has the power to grant the UK a data protection adequacy decision stating that the UK provides an adequate level of data protection comparable to the EU. This would allow the EU to reduce the GDPR regulatory hurdles on the UK’s ability to transfer personal data. The UK intends to apply to the EU for a decision, based on its existing GDPR alignment. However, the adequacy process includes wide-ranging investigations and a formal decision of the European Commission in consultation with other EU bodies. The decision is unlikely to be made for many months and it may become entangled in the UK/EU trade agreement negotiations occurring throughout 2020. An adequacy decision requires UK data protection alignment, reliable UK enforcement and minimal divergence. Without an adequacy decision for the UK, or a delayed decision, the risk to UK/EU personal data flows and the costs to businesses and organisations significantly increases.
4. Replacing the UK Information Commissioner’s Office (ICO) as an EU GDPR Lead Supervisory Authority, GDPR One Stop Shop Authority and GDPR Binding Corporate Rules (BCR) Approval Authority
Boards and leadership teams need to review their previous analysis of the UK ICO as their lead Supervisory Authority for GDPR, their GDPR One Stop Shop Authority and the authority to which their GDPR Binding Corporate Rules can be submitted and agreed. Alternative EU Supervisory Authorities should be considered and selected to replace the UK ICO’s existing role for these activities, to properly comply with GDPR over the longer term. Expert advice may be required to imbed these changes. For the largest companies and organisations, the transition period should be used to consider and begin to action these changes, if this work has not yet been done.
5. New Appropriate Safeguards for International Data Transfers
Where there is no UK data protection adequacy agreement, Boards and leadership teams must empower their organisations to adopt new appropriate safeguards to facilitate EU/UK personal data transfers. EU Standard Contractual Clauses are the most common solution, but the data exporter must be in the EU and the data importer outside the EU, so these will not typically facilitate data transfers from the UK to the EU, after the transition period. The existing EU/US Privacy Shield will no longer cover the UK (for UK to USA data transfers) unless a UK version is created and agreed. Binding Corporate Rules are a stable solution, but these cover only intra-group personal data transfers and take a long time to prepare and receive approval from EU data protection Supervisory Authorities. Boards and leadership teams must be creative, pragmatic and responsive to their supply chains, clients, staff and partners.