Keeping the data flowing: The business impact of Brexit on data sharing and protection

22 June 2018

Every day, huge volumes of data, including vast amounts of personal data, flow between the UK and other EU countries. Thanks to common standards of data sharing and protection within the EU, international businesses can easily work across borders. But, as the Brexit deadline nears, thoughts are turning to what happens to this easy and seamless flow when the UK leaves.

In response, the UK Government (‘the Government’) has set out its vision for data-sharing and protection after next year’s exit. It’s proposing a ‘special deal’ - one that would see the UK Information Commissioner’s Office (‘ICO’) working closely with the EU, maintaining a continued, uninterrupted and secure flow of personal data between the UK and EU countries.

The foundations for a new relationship

After Brexit, the UK will become a ‘third country’, like Switzerland. As with these other countries, the UK can of course have a close relationship with the EU, but will not be part of it.

With that in mind, the Government has had to consider what this means for data sharing. Its view is that, to keep data flowing freely with other EU countries, there must be a minimum recognition that the regulatory regimes are essentially equivalent - an “adequacy agreement”. Without this, there would be a severe impact to services that rely on cross-border data sharing. For businesses, their EU and UK entities might need to become functionally independent for the purposes of data sharing, not to mention other administrative burdens for data controllers and processors.

The first step towards discussions on adequacy has been to implement the GDPR and Law Enforcement Directive in full, through the Data Protection Act 2018. The Government believes this act will be compatible with the European Convention on Human Rights and Council of Europe Convention 108.

Adequacy isn’t adequate enough

But the Government’s position is that a standard adequacy approach is not enough - it wouldn’t reflect the breadth and depth of the UK-EU relationship. Instead, it’s proposing a new agreement, which would maintain the flow of data between the UK and EU, without risks to security, or incurring additional costs.

This kind of arrangement would call for deeper regulatory cooperation, “to ensure the framework effectively meets the needs of our unique relationship”. The Government is also proposing that the ICO has a seat on the European Data Protection Board, “to the benefit of consumers and businesses across the EU”.

There are potentially big benefits to this kind of arrangement. With simple ‘equivalence’, multiple regulatory bodies would need to be involved in cross-border data-protection disputes. The ‘special deal’ would keep things simple. Instead, the lead role would be taken by the supervisory organisation where the main data controller is based, creating a less complex ‘one stop shop’ mechanism.

A deal that may not happen

While this kind of approach makes sense to the UK, the reaction from the EU has been less enthusiastic. It would be an unprecedented framework for a third country, and Michel Barnier, the lead Brexit negotiator for the EU-27, has criticised the approach. Mr Barnier has stated that the UK’s proposal would lead to serious legal problems, and that the EU will not share this kind of decision-making with a non-EU country.

This all suggests that a standard adequacy agreement may be the most likely solution in the near-term. In fact, following the argument that ‘nothing is agreed until everything is agreed’, the UK and its businesses need to have plans in place to prepare for all scenarios - including a ‘no deal’ outcome.

How businesses need to prepare

Many current GDPR programmes have focused on PII data discovery and associated mapping through to the completion of their privacy operating model and governance. Businesses are now moving on to develop strategic models, and embedding GDPR into ‘business as usual’ activities, through privacy by design.

While this is happening, organisations need to take into account potential negative scenarios for the UK, post Brexit, and enhance their GDPR operating models accordingly:

  • If the UK and the EU reach a standard adequacy agreement, Data Protection Officers need to be ready to work across multiple regulators and regulatory environments.
  • If the outcome is ‘no deal’, businesses may need plans in place to establish distinct EU legal entities, and migrate client data from the UK to these new entities.

Whatever the outcome, all businesses will need to be acutely aware of the expectations of their clients and customers, who are increasingly aware of data protection rules. Any organisation that handles personal data must demonstrate that they continue to process data safely, transparently and legitimately. This is vital to avoid losing trust and damaging reputations. With this in mind, rather than being a burden, businesses should instead turn Brexit and GDPR into opportunities to improve internal operating processes, and ultimately relationships with their clients, demonstrating they’re worthy of confidence and trust.

Leigh Bates | Partner
Profile | Email | +44 (0)7711 562381
Follow @Leighbates_pwc
Conor MacManus | Senior Manager
Profile | Email | +44 (0)7718 979428


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.