Speed bumps ahead for data transfer after Brexit
In search of solutions to delays and red tape caused by UK’s exit from EU
Companies are becoming increasingly aware that there will be a sharp rise in red tape and multiple regulations relating to data handling after Brexit and are starting to put in place processes to deal with possible delays and difficulties.
Adam Rose, a Partner and Head of GDPR and Data Protection group at Mishcon de Reya, says that if the UK leaves the European Union, companies will need to navigate two jurisdictions over data transfer, potentially causing issues with anything from ATM cash withdrawals to policing Champions League soccer games. London’s role as a key data centre could also be threatened, he warns, as companies struggle to justify the cost of doubling up data security operations for staff operating within the EU.
Brussels will demand that companies moving data between the UK and the European Union demonstrate their compliance with its General Data Protection Regulation (GDPR). The UK has drafted a law to incorporate GDPR into its own regulations, but Brussels would have no option than to seek separate assurances.
“We as a nation are adding huge volumes of red tape. At the moment we can just transfer data to Paris and the system works very well. But after Brexit, there will be bumps in the road which just add to bureaucracy,” says Rose. “The UK’s draft legislation is a fiendishly complex piece of law. It’s as if we’ve been given some ingredients and are expected to work out what the end product is meant to look like without a recipe.”
Many fast-growing companies have interests and markets in both the UK and the EU. That means, after a split, they are likely to have to meet two sets of regulations on data protection. And while the differences might not be substantial, the UK has historically had the lighter touch; bureaucracy could easily double. Any customer-facing business will find challenges in data handling.
Police forces have raised concerns that they will not be able to share data so easily on individuals, potentially hampering efforts to crack down on violent soccer supporters, for example, as well as terrorism and organised crime. A new unit will be set up to use alternatives if UK police lose access to EU data sharing and co-operation tools. But Sara Thornton, head of the National Police Chiefs’ Council, has warned these alternatives would be “without exception, slower, more bureaucratic and ultimately less effective”.
Even companies that don’t currently have business within the EU could be hit by the “Brexit effect”, as a flood of additional paperwork slows them down. Instead of being able to freely move their customer and staff data around the EU, they will need to put in place a series of contracts that regulate what happens to that data, adding to legal cost, bureaucracy and delay. The lack of certainty as to where the UK stands by way of a transitional period, or no-deal Brexit, means that businesses are having to spend money and time not knowing if their contingency planning will even be needed.
These increased costs and potential delays could also threaten London’s role as a key data centre. Companies will have to justify the extra legal and administrative spending to stakeholders and ensure they do not adversely impact the bottom line. While the UK remains an attractive market with nearly 67 million people, companies will need to ask: “Why do everything twice – why not move to Dublin?”
For all businesses, getting to grips with data will be one of the keys to success in weathering the regulatory changes ahead and curbing the risk of data losses. In order to face these challenges, companies will have to know their data inside out – what they have, where it is, who uses it and how it moves. That should enable them to control costs and ensure compliance when they have to deal with a double layer of data protection rules.
"Don’t panic." says Rose. "Work out what data you have and where you have it. Where you are moving it to and from. Work out what you have to do to achieve compliance that you wouldn’t have had to think about before. Don’t keep more data than you need, don’t keep it for longer than you need, make sure you’re keeping it secure. I think those remain really important messages. Those are the key themes".