Tackling the Brexit data challenge
29 December 2017
As UK firms further consider their Brexit planning to relocate parts of their cross-border business to alternative EU-27 locations, they face a number of challenges and questions. Alongside the movement of people and logistics, firms are focussing heavily on governance, booking models, infrastructure, technology and data. Indeed the Prudential Regulation Authority (PRA) and Financial Policy Committee (FPC) have identified the management, sharing and protection of personal data between the UK and EU-27 post-Brexit as one of the key risks to financial services firms.
On 9 January 2018 the European Commission issued a notice to stakeholders acknowledging the uncertainties around future arrangements between the UK and EU and reminding stakeholders of the implications on the UK moving to third country status post-Brexit. The European Commission confirms that after Brexit the UK will become a "third country" for the purposes of EU law, which will potentially impact personal data exports from the EU to the UK. It also confirms that, as a third country, the UK’s "adequacy" for EU Data Protection law purposes is a matter for decision by the European Commission, rather than a status that occurs automatically.
Data is of fundamental importance to the business models of all financial services firms. Technology, infrastructure and automation all play a critical role in maintaining firms’ daily operations and informing their strategies. With evolving innovative technology, the effective use of data has even more potential than ever to improve firms’ business models.
Today personal data can be transferred cross-border in the European Economic Area (EEA). The freedom to transfer data across the EEA has been taken advantage of by firms, many of whom have taken steps to reduce data storage and processing costs by concentrating data centres in locations across the EU, outside of the UK.
The transfer of such data is governed by the Data Protection Directive (DPD) which sets minimum standards for the use of personal data. In May 2018 the DPD will be replaced by the General Data Protection Regulation (GDPR). The GDPR will strengthen the EU’s data protection rules further. Under the GDPR the European Commission (EC) will determine whether the data protection regimes of non-EU countries should be deemed to be adequate, allowing firms to transmit personal data to those countries. If the EU does not make an adequacy decision in the UK’s favour, organisations can still transfer their data using mechanisms such as contracts, intra-group data sharing agreements and consents.
The UK Government has stated it ‘wanted to explore a UK-EU model for exchanging and protecting personal data that could build on the existing adequacy model’ in GDPR. This agreement could form part of any Free Trade Agreement reached with the EU. The UK Government has also committed to continuing with the implementation of GDPR, and in light of the robust data protection regime in place in the UK there would appear to be a good chance they will be able to deliver this.
Brexit could though potentially impact on data transfers between the UK and other EU countries. Any transfer between the UK and the EU could be subject to restrictions and/or increased regulation, although of course many organisations in the UK will be very familiar with how mechanisms such as consent, contractual necessity, using European model clauses or Binding Corporate Rules work.
Firms would be well advised to ensure they have a sound understanding of the nature of all their cross-border transactions and data flows into and out of the UK. There may not be time to react to the eventual outcome of trade and equivalence negotiations; action is required now.
Financial services firms should be taking steps now to understand what data challenges Brexit may pose and the degree to which they are likely to be affected if the frictionless transfer of personal data cross-border in the EU is no longer possible. While the best outcome for firms in the UK and EU-27 would undoubtedly be an agreement which allowed continued seamless transfer of data, we should all have contingency plans in place for a different outcome.