Data Protection

What will Brexit mean for data flow?

As some countries across Europe begin to ease lockdown measures, and as the UK looks as though it may not be too far behind, a semblance of life and business as usual seems to be drawing closer. However, the post-COVID-19 future still holds lots of uncertainties. One that has taken a back seat in recent months, but is very much still something businesses need to prepare for, is Brexit.

For enterprises, there is currently still no cast-iron guarantee that the free flow of personal data between the EU and UK will be allowed once the entire Brexit process is over. In a worst-case scenario, it could be months or even years before the country regains its data adequacy status. While it’s understandable, and necessary, for businesses to have prioritised covid-19 responses, it’s vital that they also continue to prepare for Brexit so they don’t find themselves left behind. For instance, enterprises may have to make significant changes to their legal arrangements, systems and processes to ensure they can continue to operate post-Brexit and avoid the risk of falling foul of regulations.

The many unknowns

The free flow of data can and will affect multiple business operations. Backup and the recovery of data, for instance, could be severely impacted. Businesses would have to answer questions such as: can a UK-based organisation continue to use a European data processor? Similarly, can an organisation in the EU transfer data from its European data centres to the UK? While businesses can take steps to prepare themselves for possible outcomes, many are being held back by a pervading uncertainty in the market.

A survey of UK IT decision makers, undertaken by 4sl, found that 60 percent were worried about their ability to transfer data from the EU to the UK post-Brexit – and 61 percent were specifically concerned about their ability to back-up data held in the EU. At the same time, 55 percent did not know how Brexit would affect their disaster recovery processes, despite it being potentially only weeks away when the survey took place. While the deadline subsequently moved, when we consider the fact that organisations have recently been prioritising navigating COVID-19, this figure is unlikely to have improved.

This concern around what Brexit will mean for data is only to be expected. UK and European companies have previously always relied on the level playing field of EU data protection law to provide the assurance to carry out their processing needs across the continent – ensuring they can locate data centres in the most suitable region for the business. In the worst-case scenario, the impact on companies (whether in the UK or the EU) could be significant.

Inaction and uncertainty

However, despite the threat of this worst-case scenario, there is still not enough being done. This is largely down to ongoing and widespread ambiguity. Both uncertainty around what the world will look like after COVID-19, and the persistent uncertainty around what enterprises need to do to around Brexit, are leading to inaction in many enterprises.

In October 2019, 35 percent of IT decision makers did not have preparations in place to alter their backup and disaster recovery processes in response to Brexit, and a further 43 percent had made preparations but had not yet put them into effect. Thanks to COVID-19, it’s unlikely that much additional progress will have been made between then and now. There is also concern that any investment in preparing for Brexit will be unnecessary – whether because the feared consequences don’t happen, or because preparations turn out to be insufficient. Perhaps because of this, 59 percent of enterprises worry that the time and money they have put into preparing for Brexit will be wasted.

This mentality is understandable, given the track record of misinformation and unpreparedness around Brexit since the name was coined, and this has all created real risks for businesses. However, at present, a large proportion of enterprises are putting themselves at risk of falling foul of regulations or failures of critical functions. But is it too late to prepare? Even now, absolutely not.

Taking the next steps

Whilst it’s understandable that COVID-19 will have knocked Brexit to the bottom of many agendas it’s crucial that, as soon as they are able to, organisations turn their attention once again to Brexit preparedness. To begin with, businesses need to make sure they understand their data flows, where processing is performed and where data is stored. Organisations should also seek to understand what legal, technical and operational provisions they need in place in order to continue transferring data – including any suppliers that are involved. Next, organisations need to be certain that they have either Standard Contractual Clauses or other provisions in place to cover personal data transfers from the EEA to the UK; or that no data is transferred at all.

It’s crucial that organisations take steps to avoid the possible pitfalls of Brexit, even now in these uncertain times. It can even be seen as an opportunity – for instance, by allowing the business to review and simplify data processing operations. Once Brexit again becomes a word on everyone’s lips, enterprises that have taken the chance to prepare, whether alone or with partners, will be in the best possible position.

By Barnaby Mote, CEO, 4sl