Brexit and the CIPP/E exam

Many students ask us the following question about Brexit:

Should I answer questions about data transfers to the UK according to the pre or post Brexit situation?

The answer is probably that you have to answer these questions according to the pre Brexit situation. We will explain below. We will also consider the situation from January 1, 2021.

Exam

Let us first say that the answer to this question cannot be found in the sources of the IAPP. We have now submitted this question and are waiting for an answer. If we receive a reply, this post will be updated.

We think there is a good chance that no questions will be asked about the new Brexit situation. This is because the IAPP only changes its exams once a year, namely on September 1. Last September it was not clear at all what situation would arise from January 1, 2021. At that time there was little reason to change the exam, partly because many different scenarios were possible. The exam will now only be revised in September 2021

Another factor is the ANSI/ISO accreditation of the IAPP exams. If major changes are made, re-accreditation must be carried out. We therefore expect that the Brexit situation will not be implemented in the CIPP/E exams until September 1, 2021.

Current Brexit situation

A Brexit deal was signed on December 24, 2020.

The deal states that in the first 4 months of 2021, the transfer of personal data may still take place in the same way as before. This will only be different if the UK changes the rules for the protection of personal data during these 4 months. This period can be extended by another 2 months.

In the meantime, the European Commission will try to take an adequacy decision. If this decision is taken, the free flow of personal data to the UK will remain possible.

If this decision is not taken, transfers of personal data to the UK will be considered as transfer to a third country. In that case, for example, Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) will have to be used.

To be continued.

Statement European Data Protection Board