An official document detailing the potential outcomes of a no-deal Brexit, leaked over the weekend, has shed light on the likely aftermath of leaving the EU without a deal.
The Sunday Times has reportedly seen a copy of the Operation Yellowhammer report, the codename for the contingency planning being carried out across government to prepare for a no-deal scenario. The report includes 12 “areas of risk” and the newspaper reported that in the event of a no-deal Brexit, the country could face shortages of “fuel, food and medicine”, as well as delays at the border and additional checks for UK citizens travelling to the EU.
Prime Minister Boris Johnson has said he will negotiate to avoid a no-deal Brexit, but has warned that the possibility of the UK leaving the UK without a deal should not be ruled out.
Although less pressing than issues such as access to food and medicine, the dossier also includes some worrying predictions for the transfer of data from the UK and EU, which many organisations have come to rely on.
According to The Sunday Times, the report warns that if an agreement on data is not reached by the UK and the EU, this could “disrupt the flow of personal data from the EU, where an alternative legal basis for transfer is not in place. In no-deal, an adequacy assessment could take years”.
For businesses relying on data for their day-to-day operations, the prospect of disruption to the transfer of personal data could be significant.
How could data transfer be affected?
Because the countries within the EEA are all subject to the same GDPR regulations, the flow and processing of personal data between the UK and other EU countries is currently unrestricted.
If a deal can be reached before October 31st, then UK organisations will have a transition period where data flow will not change while a new arrangement is put in place. However, if the UK crashes out without a deal and with no transition period, transferring data from the European Economic Area (EEA) to the UK could become more complicated.
The UK government has outlined what this could mean for data transfer. It has said that the UK will “transitionally recognise the European Economic Area (EEA) as though they have been subject to an affirmative adequacy decision by the UK”, meaning that personal data can continue to flow freely from the UK to the EEA.
However, when the UK leaves, the EU will treat it as a “third country”, meaning it will be considered outside of the EU’s data protection laws, and as a result the transfer of personal data may be restricted, or may be subject to additional safeguarding to ensure that the data receives the same level of protection outside the EU, despite the fact that the vast majority of GDPR is set to be incorporated into UK law regardless of the outcome of Brexit.
The two sides would then need to negotiate a deal to decide how data will flow between them, and the EU will need to determine whether the UK’s data privacy laws are adequate enough to allow data to be processed there, known as an adequacy deal. However, there is much uncertainty surrounding how long this could take, with the Financial Times reporting in February that this could take “years”.
A no-deal will have “a significant impact on the flow of personal data”
Samuel Leach, director of Samuel and Co Trading, explains how this will make the process of transferring data more complicated:
“In the event of the UK leaving the EU in a no-deal Brexit scenario, would, at least in the short-term, have a significant impact on the flow of personal data between the UK and the EU. Each EU member state will have to provide their own rules for transferring data to the UK, ensuring that alternative mechanisms for transfers are in place.
“UK businesses can take a number of practicable steps to prepare for the eventuality of a ‘no deal’ Brexit, to ensure that they are not restricted from transferring or receiving personal data from outside the UK.
“It would be sensible to carry out an audit of the location of customers and suppliers to determine which (if any) are in non-UK countries. Likewise, if your business is part of a wider group, consider if there are any group companies based outside the UK with whom you share personal data.”
Thanks to cloud computing, many orgainsations now store data in other EU countries, and currently there is a degree of uncertainty as to whether this can continue after a no-deal Brexit. As a result, data processors in the EU may consider the regulatory risk or additional cost too high and stop sending data to the UK, and businesses may need to reconsider how their data is stored.
“A no-deal Brexit will have a great detrimental impact on UK businesses”
Although it remains to be seen whether a no-deal Brexit will become a reality, the ICO has urged businesses to start preparing for no-deal Brexit data transfer, advising them to “start by mapping your data flows and establish where the personal data you are responsible for is going”.
Privacy and GDPR compliance consultant at Kazient Privacy Experts Jamal Ahmed explains that businesses will most likely be affected by the impact of a no-deal Brexit on data:
“A no- deal Brexit will have a great detrimental impact on UK businesses. It will be affect each and every business that sends or receives personal data to anywhere in the EEA or US. That includes where a business uses a service (such as hosting for their website, or emails, or storage) which stores that data on servers which are located in US or Europe.
“British business are likely to lose clients from the US and Europe due to a no-deal Brexit as the hassle of making adjustments and changes may be deemed too onerous to make, making it more attractive to use a EU based business over a UK based business instead.
“Currently businesses within the UK rely on the EU-US Privacy shield to transfer data – upon a no-deal Brexit UK business will not be protected by the Privacy Shield as they will no longer be part of the EU and as such will not be allowed to transfer data to the US using this widely popular existing mechanism.
Businesses could bear the brunt of these additional costs. In January, the Exiting the EU Committee said that a lack of clarity on data flow after a no-deal Brexit could be “burdensome and costly” for business.
Ahmed believes that businesses should review their current data transfer practices and prepare for any changes they may need to make:
“UK business need to review their data flows and make amendments to all contracts with vendors that involves the transfer of personal data outside the UK to the US and EU and insert Model clauses to allow them to continue operating legally in the event of no deal Brexit.
“Businesses who fail to take the correct steps could potentially face fines of up £17m in the event of a no-deal Brexit if they do not implement adequate safeguards (ie Model Clauses).
“Businesses must bear the costs of the legal resources required to make the necessary changes.”