By Pragasen Morgan, Partner, EY.
Personal data lies at the heart of many companies’ business models and handling it correctly is essential to building trust and avoiding reputational damage. As a result, it is rapidly rising up the senior management agenda, with the 2018 IAPP-EY Annual Governance report revealing that nearly 8 in 10 organisations report privacy matters at board level.
In this context, the European Commission’s announcement that, in the event of a no-deal Brexit, the flow of personal data from the EU to the UK will be restricted from 29 March 2019 raises some serious concerns for the C-suite. Businesses who wish to continue to transfer personal data from the EU into the UK after this date will need to employ “appropriate safeguards”, such as the EU Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) which are currently used when personal data is exported outside of the EEA. Even if the draft EU Withdrawal Agreement is adopted in its current form, any failure to reach an adequacy decision by the end of the transition period on 31 December 2020 will mean the end of the status quo and further transfers of personal data from the EU to the UK will require one of the appropriate safeguards mentioned above.
There is some good news. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) outlines how UK data protection law will work if the UK leaves the EU without a deal. The guidance highlights how a combination of the UK Data Protection Act 2018, which goes a long way towards meeting the EU’s GDPR requirements, and other existing or amended rules or contractual agreements, can be used to mitigate existing and potential risks of leaving the EU without a deal.
Before we examine some of that detail it’s worth staying at the broader level to consider the strategic concerns. Any acquisition, merger or other major digital growth initiative will need to be carefully examined or put on hold until the personal data transfer flow is fully assessed, mapped and any risks mitigated.
Understanding the options
To give just one example of the complexities and the need for thoroughness, let’s look at the use of BCRs. While existing BCRs authorisations will continue to be recognised in domestic law and can therefore be used as a means of international transfer of data, organisations such as global shared services providers will need to carefully check if all their partners or customers have BCRs. If not, supplier and customer contracts may need to be updated to include SCCs so that these can act as an effective basis for international data transfers from the UK. As this example shows, although it’s a positive that options are available to avoid data transfer blockages, the number and nature of these options means they need careful and expert consideration.
Navigating the challenges
Organisations must ask themselves some challenging questions if they are going to be ready for a no-deal Brexit, not just in terms of day-to-day compliance ensuring the continued transfer of personal data from the EU to the UK but for the strategic growth and efficiency opportunities they seek to realise.
Who is going to lead the no-deal Brexit preparations on the ground?
It’s a big and important task, so assign or recruit a privacy lead to take on the challenge.
Have you completed a detailed risk assessment?
This needs to examine the nature and use of data at a micro and macro level. From consumer, supplier and internal data, right up to M&A due diligence. External support can provide both assurance and extra resources.
Are you communicating your vision?
In a perfect world, everything decided at board level would instantly become part of every staff member’s routine, but we don’t live in a perfect world. So, get the key messages and range of actions needed across to the wider business, flagging up the highest risk customers or data transfer flow.
Are your business processes running smoothly?
From anonymising data to properly identifying different entities or customer locations, plans are only as good as their business processes. So, there’s a need to test, socialise, populate and stress test them with data well ahead of Exit day.
Our briefing note below provides a concise view of the road ahead in the event of a no-deal Brexit and DCMS guidance describes the regulatory channels, such as BCRs and SSCs, that will help organisations keep their vital data flowing. But, just as with GDPR, it will be vital to look up from the detail to keep sight of the bigger picture, particularly around the increasing importance of trust and the impact of data restrictions on your organic or M&A-driven growth plans.
For further information please contact:
Follow our blog
Click here to sign up to our blog series.