The narrowly avoided Hard Brexit was a welcome respite for a number of companies, including those in financial services. Had the UK and European Union (EU) failed to strike a compromise, many cross-border activities, such as the free flow of data – which had previously been carried out without impediment – risked facing disruption, combined with high costs. Research estimated that UK businesses would have been forced to spend £1.6 billion to establish alternative data transfer mechanisms had a deal not been reached.1 In a more recent development, a draft decision about data sharing is expected to be approved by the European Commission (EC).
At a recent RBC Investor & Treasury Services webinar, Andrew Glessing, Head of Risk, Regulation and Compliance at Alpha FMC, discussed the path to-date, and shared his insights about some of the data challenges that could potentially emerge in the coming months.
1. The UK adopts a business as usual approach to data sharing: Ahead of the UK’s departure from the EU on December 31, 2020, the British government transposed the EU’s General Data Protection Regulation (GDPR) into domestic legislation. The UK version of GDPR – which effectively mirrors its EU equivalent – allows for UK personal data to be shared with the EU from January 1, 2021.
There will be limited changes to cross-border data transfers between the UK and EU for the first six months of 2021
2. The EU adopts the status quo...for six months: Effective January 1, 2021, the EU introduced a temporary bridging mechanism that allows personal data from the EU to be shared with the UK. This regime will remain in place until June 30, 2021. As such, there will be limited changes to cross-border data transfers between the UK and EU for the first six months of 2021.
3. The EC has recently deemed UK rules to be equivalent, pending formal approval: More recently, in actions taken following the webinar, the EC released the results from their assessment on adequacy with the UK. Over the past few months, the EC has assessed the UK’s personal data protection laws and has come to a decision that they are equivalent to the requirements set out under GDPR.
4. The European Data Protection Board (EDPB) will complete its further review: The draft assessment from the EC still requires formal approval before the UK is granted adequacy: The EC’s proposed decision on adequacy needs to be reviewed by the EDPB, and then also needs formal approval from a committee composed of representatives from each EU Member State. Depending on the outcomes of these reviews, the EU could then look to adopt the decision and grant the UK adequacy for the transfer of personal data.
Data adequacy
is not necessarily
permanent in nature
5. Data adequacy can be removed at any stage: Should the UK be formally awarded data adequacy, market participants will need to be aware that this designation – similar to equivalence – can be removed arbitrarily by the EC and European Parliament. Data adequacy is not necessarily permanent in nature and is something financial firms should be mindful of. The UK will also undergo a formal review every four years to determine whether the level of protection within the UK continues to be adequate.
6. UK firms should consider the risk of data adequacy removal or non-approval: Financial institutions should recognize the risk of the UK either not receiving or losing its EU data adequacy approval. Firms will need to start building in processes ahead of the June 30, 2021 deadline to factor in the possibility that existing data transfer channels between the EU and UK could be disrupted. The risk of the UK not being granted initial adequacy now appears to be significantly reduced. However, there is still a residual risk that adequacy may not be formally approved or could be revoked in the future.
7. Get a plan in place: In the immediate term, firms will need to mobilize employees and begin project work to prepare for any changes to the data rules. They will then need to initially define their data footprint by identifying all of the personal data they use regularly along with the sources of that data. Once that task is completed, firms must isolate instances where personal data is being disseminated from the EU into the UK.
8. Start proportionate business contingency work: Should data adequacy not be granted, firms will need to find ways in which critical data can be obtained from either non-EU markets or onshore. Businesses will also need to ensure that cross-border data transfers from the EU into the UK are not interrupted.
Should data adequacy not be granted, firms will need to find ways in which critical data can be obtained from either non-EU markets or onshore
9. Dust off the Brexit strategy: Although it was a challenging time for businesses when Brexit negotiations went so close to the wire in 2020, it did simultaneously force organizations to prepare for the risk of a no-deal Brexit. As a result, some investment firms and financial institutions already have effective contingency measures in place to mitigate the risk of the EU not granting data adequacy, which would put an end to seamless data transfers.
10. Higher costs could await firms: If the UK does not receive data adequacy, firms could find themselves incurring higher compliance costs at a time when many are facing margin pressures2, along with the uncertainty caused by COVID-19. The penalties for violating data regulations in both the UK and EU are incredibly serious, and shortcomings could result in reputational damage.
Final word: The EC’s recent draft assessment makes it much more likely that adequacy will be granted. Despite this, there is still a risk that the EU could alter how personal data is transferred out of the bloc and into the UK if adequacy is not approved this year or is revoked in the future, leading to potential disruption. To effectively navigate this risk, firms should continue to enhance their data strategies in order to safeguard their businesses against any regulatory headwinds.