Not many of the things currently travelling freely across the English Channel will remain unaffected in the eventuality of a no-deal Brexit. New regulation for goods, services, and people coming from the EU to cross the UK border have unresolved questions. But there is another, less tangible matter that could very much wreak havoc if the UK were to crash out of the EU without a deal next month: data.
At the moment, data flows without barriers between the UK and the rest of the EU. This makes trade easier for businesses, who can rely on transferring information about their customers and workforce to sell goods and services, especially within digital-oriented industries like telecoms or technology. It is estimated that cross border data flows account for 3.8 per cent of global GDP.
The UK is part of the mutually agreed General Data Protection Regulation (GDPR), which came into force in 2018 and covers its European members with the world’s strongest data protection rules. This means that personal information gathered in other GDPR-protected countries can enter the UK with no barriers, as it is assured that data will be equally protected in the country.
The UK's Data Protection Act 2018 supplements GDPR, and in some cases goes slightly further, making the UK’s rules more stringent in some specific cases. In the event of a no-deal Brexit, the Data Protection Act will ensure that personal information processed in the UK will keep enjoying the same level of protection they do now. Still, under EU law, the UK will be automatically considered a third country not bound by GDPR rules, and able to diverge from the current strong standards if parliament so decides. Consequently, data from EU countries would not be able to flow freely to the UK.
“Things will remain the same for organisations residing in the UK, and who need to transfer data to the EU,” says Cillian Kieran, CEO of privacy start-up Ethyca. “But you won’t be able to gather data from the EU into the UK. This is an issue for any company that processes information at any level.”
From behavioural analysis to order-tracking, through basic processes such as cloud-based email or storage, data transfers are at the core of most of British businesses’ daily activity. Numbers reflect that: between 2005 and 2015, the volumes of data entering and leaving the UK increased 28 times. Three-quarters of these were exchanged with EU countries.
Disrupting the flow of data could be disastrous. To take one example: in a recent study, researchers from University College in London point to the fact that the university’s own email system, Microsoft Outlook, only works because data can be transferred from servers in Ireland to servers in the UK.
The UK hopes that the European Commission will grant it a special status that would recognise the UK’s data protection regime as equal to the EU’s, and allow for the free flow of information across borders. Instead, the EU has committed to assessing the UK for “adequacy” – essentially, a status green-lighting a third country’s data protection standards, allowing for data transfers to happen unimpeded. In the past, the process of granting adequacy has taken between 18 months and five years.
Read more: What is GDPR? The summary guide to GDPR compliance in the UK
In the event of an orderly Brexit, the assessment would take place during the transitional period, supposed to last until the end of 2020, during which the UK would keep abiding by all EU regulations and avoid any disruption. But if no-deal happens, the UK could spend years in a data limbo. Making matters worse, there are a number of issues that could cause the UK to be denied adequacy – not least its intelligence-sharing arrangement with other countries in the Anglosphere, known as the Five Eyes alliance. Member states’ national security decisions such as Five Eyes cannot be contested by the EU, but the arrangement could come under scrutiny from a data protection perspective once the UK becomes a third country.
Under a no-deal scenario – until a special arrangement or adequacy is reached – EU-to-UK data transfers will only be allowed under legal mechanisms implemented by individual British companies. That’s when things get thorny. “Most small and medium businesses will have real difficulties understanding the legal implications and technical difficulties of data transfers,” says Kieran. “They will need specialist advice and the engineering capability to make sure that they comply with new rules. And if they don’t, they could get prosecuted.”
The most important technicalities are Standard Contractual Clauses (SCCs), which are contracts pre-approved by the European Commission, to be signed both by the organisation receiving information, and the source of data in the EU; and Binding Corporate Rules (BCRs), which are approved from an EU Data Protection Authority (DPA) to facilitate the transfer.
A new SCC has to be set up for each new point-to-point data transfer – in the case of an organisation that has customers in Europe, for example, it would be necessary to map out every data transaction happening daily, and set up an SCC for each one. This can quickly escalate into costly legal processes and administrative chaos.
To make sense of those requirements, companies are likely to resort to external legal experts. Complying is costly and a lot of work – and not the type of work that small and medium size businesses (SMBs) are anticipating. Jack Bedell-Pearce, the CEO of 4D Data Centres, led a poll among SMBs in the aftermath of the 2016 referendum to find out how much they knew about Brexit; the poll’s results showed that 87 per cent of them didn’t consider data privacy to be an issue.
“Anecdotally, since then, not much has changed,” he says. “IT directors think that it won’t be an issue because they already comply with GDPR. Their faces drop as soon as they understand the potential legal implications this could have.”
Bedell-Pearce, for his part, has prepared as much as he can: his company runs data centres, and some of his customers who work with international clients could be affected. He has created a separate budget to anticipate lower revenues, “but outside of that it’s really just hanging on and seeing what happens,” he says.
Given the uncertainty surrounding Brexit, at this point there seems to be little else UK businesses can do. Apart from the ICO’s relatively vague recommendations on data flows, and a gov.uk toolkit, guidance from the government on this subject is scarce.
“The ICO as a regulator is doing the best it can,” says Kieran. “But this is a constantly moving target.” And although public information campaigns attempt to raise awareness of the issue among business owners, it is easy to see why it might be challenging to give out specific advice when details of the UK’s exit from the EU are still so uncertain.
Nikolay Piriankov, the CEO of online retailer Taylor & Hart, makes little sales in the EU, but he has a team in Europe with which he communicates daily. He explains that he sees larger companies taking measures, but he cannot afford to follow their lead. “Among smaller companies like ours, it’s just too much of a risk to allocate a large amount of time to Brexit preparations until we have a clearer picture of what’s going to happen and when,” he says.
The UK's digital secretary Nicky Morgan has said all businesses and organisations should ensure they are ready for Brexit. "If you receive personal data from the EU, you may need to update your contracts with European suppliers or partners to continue receiving this data legally after Brexit," Morgan said in a statement. “There are simple safeguards you can put in place by following the guidance available. UK and EU businesses should get on the front foot and act now to avoid any unnecessary disruption.”
Preparing for compliance takes time, money – and realism. Kieran explains that this could also be a case for smaller companies, who see privacy as an issue for tech giants to handle. But in fact, regulations trickle down to them too – without them necessarily being aware of it. “In my experience, businesses are not at all prepared,” says Kieran. “They have very little knowledge of the issue, or consider it to be low risk.”
However, it is unlikely that an apocalyptic data freeze will happen on November 1. Large companies that provide essential services like cloud storage should already have provisions in place, he explains, as they are the ones that will come under the greatest scrutiny when the UK leaves the EU. As for smaller businesses, Bedell-Pearce hopes that the EU and the British government take a pragmatic approach to make data flows as smooth as possible. “Something like a basic connectivity agreement,” he says. That’s one extra thing to add to Boris Johnson’s to-do list.
Updated September 24, 2019 17:51BST: A statement from digital secretary Nicky Morgan has been added
This article was originally published by WIRED UK
