Britain could be granted data adequacy with the EU despite the threat of a potential block due to a no-deal Brexit.
According to the Financial Times, the decision should be approved ‘imminently,’ and would be a great relief to firms concerned about the impact a data flow block would have.
The European Commission, which has drafted up the agreement, would allow the free flow of data between the UK and EU countries on the basis that both had similar data protection (DP) laws in place.
It was discovered last year that EU data transfer requirements could cost UK businesses up to £1.6 billion in the event of a no-deal Brexit.
An Economics Foundation report stated that the extra cost of compliance for companies could also bring increased risks of GDPR fines, less EU-UK trade, reduced investment, and the risk of businesses relocating parts of their operations outside the UK.
Concern was due to news that UK would be relegated to ‘third country’ status once it leaves the EU, meaning that only a formal agreement guaranteeing the UK’s regulations were in keeping with the EU’s could restore flows.
The newly announced data adequacy agreement comes after the UK and the EU agreed on a ‘six-month continuity period’ which would allow time to hash out a deal.
According to Wim Stoop, CDP Customer and Product Director at Cloudera, the new agreement will allow business leaders to “breathe a sigh of relief”.
“Uncertainty around how UK businesses can transfer data in and out of the EU has reached boiling point over the past few weeks, but this decision will go a long way to alleviate some of the pressure facing firms, as a result of Brexit,” Stoop commented.
However, Dr Julie Nixon, senior associate at Morton Fraser, warns firms that they may not be out of the woods yet: “British businesses must remember this decision is not yet final, so any celebration could be premature.
“There is still a temporary four-to-six-month bridge period during which time certain requirements, such as the approval from representatives of all EU member states, must be met. During this period, personal data can continue to flow from the EU to the UK.
“But it’s recommended that UK businesses transferring personal data with EU and EEA organisations should put alternative transfer mechanisms in place, such as Standard Contractual Clauses, to safeguard against any interruption to personal data flows in case an adequacy decision is not officially adopted by the end of the bridge period,” Nixon said.
According to the Financial Times, the agreement is expected to be announced later this week(Friday) and will be ‘continuously reviewed’ by the EU and will be subject to “legal challenges at the European Court of Justice”.
Stoop continued: “This ruling could be short-lived should the EU tweak its laws and strike agreements with other countries in the future. Businesses cannot rest on their laurels and hope this day does not come.
“Instead, they have to act now to protect themselves and this starts with ensuring their data is properly managed and compliant with rules and regulations, regardless of new ones which may come into force later down the line.”
- MarTech 2021 Virtual Summit | Just one week to go!
- Comment | Tackling unwanted bias in technology
- IbisVision accelerates rollout of its remote optometry appointment tech
In June of last year after The European Data Protection Board (EDPB) told MEP’s that that a DP adequacy agreement between the UK and the EU could “fall apart” if a data protection agreement with the US was deemed ‘unacceptable’ post-Brexit.
In the event of a deal falling apart, British firms would be left in the dark over DP regulations post-Brexit. However, the new deal would mean they can rest a little easier.
Commenting on the issues firms could face with DP regulations, Stoop said: “Organisations have a lot to contend with when it comes to data protection, but as a starting point, they should focus on getting governance right from the start.
“With this approach, data privacy and protection will become naturally ingrained in the business. At its very core, good governance, just like good data protection requires technology, people and processes working together to derive value from data.
“By doing so, businesses can not only ensure every piece of data in their possession is protected, but they can operate with the assurance that they are remaining compliant.”