While recent meetings in Europe between Prime Minister Johnson and his counterparts in Brussels, Germany and France may have brought increased hope that a revised deal can be negotiated for Britain’s departure from the EU, it is still the case that a ‘No Deal’ exit remains a distinct possibility. This would see the UK leave the EU at the expiry of the Article 50 extension, at 11 p.m. on 31 October.
Predictions have been widely made about the impact this may or may not have on the flow of goods and services between the UK and Europe, but despite its crucial importance in the modern digitalized world, the question of what happens to data-flows if the UK leaves without an Agreement has gone relatively under the radar. While businesses and consumers may be able to stockpile parts or foodstuffs for a few weeks, the immediate nature of sharing personal data could present more of a headache.
Making it personal
In a digital world, the sharing of personal data is commonplace and touches almost all businesses, whether it is for clients, consumers or employees. And post-GDPR and with cyberattacks very much in the public consciousness there is a growing awareness and consequent communications challenge, of the need to demonstrate data is being managed correctly.
While GDPR compliance was rarely enthused about, its application did at least provide many businesses with the safety blanket of a clear process and a consistent approach across the EU and European Economic Area (EEA). But with the prospect of a hard exit on 31 October, with no transition period in place, this will change, and businesses must be ready to both handle this operationally and to communicate the implications internally and externally.
From a purely logistical standpoint the solutions are not hugely onerous, but measures must be understood and be ready to be implemented from 1 November. While the UK government has committed to not placing any restrictions on personal data flowing from the UK to EU/EEA countries, the EU has not made a similar commitment when it comes to the sharing of data of its citizens. Penalties would mirror those for GDPR infringement and although there is a question over how this would be enforced with a third country, the reputational impact of a public denouement could exceed the impact of a fine.
Businesses that already transfer data of EEA citizens to outside Europe should already have in place arrangements for making a restricted transfer under GDPR. However, many businesses that operate solely within the EU/EEA and UK may need to think about how to comply with additional regulation. For example, a UK office of a French business sharing employee data between a central human resources function in Paris would now have to comply with the provisions on restricted transfers in the UK GDPR. It should also be noted that provisions of ‘adequacy’ – the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards – will have to be determined once the UK has left the EU, likely over a period of some months.
Communicate as well as comply
Being prepared for this is not simply a case of compliance. It’s also about communications. Companies must ensure that those who share data know what changes they need to make, and how to address any questions that may come their way from employees and customers concerned at the both the impact of these changes on the ability to conduct business and whether this affects the security of the data being shared.
With many functions of a company potentially sharing personal data it is imperative that a strategy is put in place to ensure that all employees are aware of what is required in such a scenario. It’s easy to forget that an executive assistant may regularly send personal data of the person they support overseas when organizing travel or meetings for example. Yet it is also important to recognise that such changes may cause concern, even if the solution has been put in place. Employees may be concerned they may inadvertently break the law and face consequences. Clients and customers may worry these changes put their data at risk or make doing it harder to do business.
In all of these cases reassurance is key. Yes, there will be changes and new processes may be required but for many businesses that already share personal data with non-EEA countries like the US, Australia or the Far East these processes are simple to adapt given the right support, training and depth of understanding.
An opportunity to improve and engage
It’s important to remember too, that this offers an opportunity for improvements to your data management strategy. People are increasingly data sensitive and are conscious of the potential risks of too much data being shared. This is something the Department of Culture, Media and Sport and the Cabinet Office are examining, with a current consultation open for contributions on developing a clear policy on digital identity.
This is based on the premise that citizens have a right to only share necessary information, and thus processes for verification should be made simpler to better protect privacy. For companies that handle significant volumes of personal data it may be worthwhile thinking how the need to respond to data-flows post-Brexit can be adapted into a clear policy to minimise data being held or shared; offering an opportunity to submit to the consultation and engage with the new Government and build relationships.
Of course, the need to make adaptions due to Brexit could change if parliament agrees a withdrawal agreement, if a further extension is agreed or if data-flows fall under a so-called ‘micro-deal’ like those agreed by already to keep planes flying and freight moving in the event of a departure without a deal.
In many respects the challenges businesses may face in the event of a ‘No Deal’ situation mirror the concerns that were faced before the introduction of GDPR, yet without the certainty of a knowing what will happen on 1 November many businesses have not prepared to the extent they did for GDPR. Of course, if Britain does leave without a deal in place then GDPR rules will also change; though for most it will be minor given the Data Protection Act 2018, which is the UK's implementation of the General Data Protection Regulation (GDPR), will remain in force. But that is a subject for another day and another blog.