No-deal Brexit data – should firms worry?
In a no-deal Brexit, the UK will need to prove to the EU that its data protection is up to scratch….
“Take steps now to keep receiving data legally from the EU.”
That’s the message for businesses in a full page government advert in the Financial Times and elsewhere.
It goes on to warn that after 31 October “you may need to update your contracts.”
But just how worried should companies big and small be about handling data in the event of a no deal Brexit?
The advert tells readers to follow the step-by-step guide at gov.uk/brexit.
But when you arrive there, finding your way to the advice about data is not straightforward.
I found that I had to pretend to be a business and answer a whole series of questions before I was presented with the information.
So here is the key issue. Right now data can flow freely across the EU as long as companies conform to its tough new General Data Protection Regulation (GDPR).
And as the GDPR is being incorporated wholesale into UK law, there should be no real change after Brexit – as long as we leave with a deal.
But if there is no deal, we will be treated as an external country, needing what is called an adequacy ruling showing our data protection standards are up to scratch – and the European Commission has indicated that this would not happen in a hurry.
So what do businesses need to do? Well, sending data to the EU will apparently be no problem because the UK government has decided it is happy with European standards.
But if you receive data – perhaps a lists of names and addresses of customers – from a company in the EU or the wider European Economic Area then you will need to take action.
The advice is that you should “review your contracts and, where absent, include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.”
Err – right. I can hear dozens of small business owners gulping at that.
But the gov.uk site then sends them over to the Information Commissioner’s Office to find a handy interactive tool which will allow them to work out just how to craft one of these clever contracts.
Don’t worry, the government site says, “for most organisations, especially SMEs, taking the required action isn’t highly costly and doesn’t always require specialist advice.”
But don’t think you can just ignore the problem.”If you fail to act, your organisation may lose access to personal data it needs to operate.”
Big companies are likely to have addressed this issue. One payments firm told me it had opened an office in Ireland, and was preparing to tell EU customers that their business would now be handled from there.
‘Insurmountable bureaucracy’
But how prepared are small businesses?
Ben Thompson, co-owner of a cycle store in Fort William in Scotland, has visited the gov.uk/brexit site.
When he filled in the questionnaire he found he faced 21 Brexit-related issues, among them data transfers.
“We organise cycle tours, and may for instance be getting customer data from a German travel agency,” he explains.
He now worries that he may need to sort out new contracts with all of his European customers. “My heart sank when I saw this – it’s an insurmountable pile of bureaucracy for a small business.”
Legal angle
It is all good business for lawyers. But Alex Brown, head of the technology practice at Simmons and Simmons, urges caution about just how serious the data transfer issue is: “If I was a business exporting this would be on my list to fix – but it wouldn’t be near the top.”
He doubts whether data regulators will be rushing to punish small businesses which fail to get the right contracts in place straight away.
But it is just one more worry for businesses grappling with Brexit uncertainty.
Make UK, the manufacturers’ organisation, says the whole area is confusing for thousands of its members trading with the EU and is calling on the government to give clear guidance.
A DCMS spokesperson said it was in everyone’s interests that the exchange of personal data between EU member states and the UK continued, and the government had set out ways in which businesses could comply with EU data protection laws.