Two urgent questions – does your business move data across borders and if so are you prepared for what could happen if the UK leaves the EU at the end of March without a deal?
The Direct Marketing Association (DMA), which represents a whole raft of data businesses, says any company that moves data between the UK and an EU country needs to be aware of what will change if we effectively sign out of the General Data Protection Regulation (GDPR), Europe’s data protection regime.
If we are going to continue to see data flowing freely across borders as now, we will need the EU to give us the kind of adequacy deal it has already granted to 12 other non-EU countries – but it isn’t clear how quickly that would happen.
And in the meantime, the DMA says, there would be severe uncertainty that “could potentially bring EU-to-UK data flows to a halt”.
A couple of examples:
- A large UK data processing company with EU-based customers and an EU data centre may find it can no longer move their data across borders to be processed in the UK. In the words of the DMA, “it would lose control of its own data”
- A small e-commerce company, perhaps selling Scottish knitwear, has some customers in France and stores their email addresses and previous orders in its database. To continue processing their data, it may need an EU-approved standard contractual clause
DMA chief executive Chris Combemale says many larger companies have already moved to open data centres in mainland Europe.
He describes one major US financial technology company that had all of its servers in London but now has a duplicate operation in Amsterdam.
He says large companies are prepared and will take things in their stride but the administrative burden on smaller businesses could be quite onerous.
“We’re not disaster-mongers – things will carry on but with more cost,” he says.
“The uncertainty, the extra cost, could reduce investment – companies could choose to do less business here.”
Lawyers too are warning that data-handling companies – and they account for an awful lot of businesses these days – face a mountain of work. “Preparing for a no-deal Brexit requires identifying current and future EU-UK data transfers and urgently ensuring that UK entities become ‘safe importers’ of data in Data Transfers Agreements,” says Eduardo Ustaran of Hogan Lovells.
“A no-deal Brexit definitely means more bureaucracy, not less.”
The Information Commissioner’s Office points out that there is comprehensive advice for businesses about the implications of a no-deal Brexit on its website.
Introducing the advice, the commissioner, Elizabeth Denham, said: “Organisations will need to carefully consider alternative transfer mechanisms to maintain data flows and the guidance we have produced will help you weigh the options and take action if this proves necessary.”
Having read through this section, my head is spinning and I can imagine lots of smaller companies will still be struggling to work out exactly what they need to do.
But with just 71 days left to prepare for a no-deal Brexit, any business that depends on data had better get their skates on. Otherwise, they could see a vital resource stuck in an endless tailback at the border.