Guest post by Ben Rapp, Founder and Principal at Securys
HMRC has estimated the cost of filling in 200 million customs declarations alone – deal or no deal – will cost UK business more than £7 billion a year, when the Brexit transition period ends on December 31.
But the new cost of sending personal data has yet to be estimated – and it looks to be crippling. Worse still, many UK companies remain unaware that they will be affected.
A huge proportion of UK companies handle the personal data of European eCommerce customers, tenants, staff, patients, legal clients, students, investors and so on.
The EU is our largest trading partner after all. But no personal data will be transferred freely into the UK from Europe from January, as an agreement allowing it is highly unlikely at this stage.
In October the government announced an Australia-style, or no-deal, Brexit was likely, and published guidance saying UK businesses had just over 70 days to prepare.
The government has called it the Time is Running Out campaign – and they’re not kidding. The required action is impossible to achieve by the end of the year – not just because it’s too much to do in that space of time but also because the guidance is too vague.
Some things, though expensive, are at least clear. A dot.eu domain name might no longer be valid and have to be changed, leading to new SEO and marketing costs.
Dressing up a no-deal Brexit as an “Australia-style” deal is enormously unhelpful
Appointing a representative in the EU to continue operating digital services will be a new burden. As will managing a licence to employ EU workers. But buried in the guidance is the requirement that businesses processing data should start using standard contractual clauses (SCCs).
These are contracts detailing all transfers of personal data between the receiver and the sender on EU-approved terms and setting out the safeguards that the receiver – in this case the UK business – will put in place to protect data, especially from possible UK government surveillance.
This is a huge new burden on transfers that flowed freely up to the end of the year. Within the guidance, businesses have not been given any clues as to what steps they need to take to show that a data transfer is safe.
In other words: how to satisfy individual data protection regulators in the 27 EU countries that their citizens’ data will be protected in the UK. The guidance also doesn’t mention that the contracts must include a right of immediate cancellation by the data exporter – the sender – at any point.
So even if they are secured by an SCC, data transfers will always be at risk of termination if it’s decided the UK safeguards are not equivalent to the rights granted in the EU. Dressing up a no-deal Brexit as an “Australia-style” deal is enormously unhelpful.
It’s hard to imagine why the government hasn’t compiled any figures on the increased cost to business of restricting data flows.
Australia doesn’t have an adequacy agreement with the EU allowing for the free-flow of data. It’s improbable at this stage the UK will leave Europe with one either. These adequacy agreements take years to negotiate, much like regular trade deals.
South Korea has been working on adequacy since 2015. And it’s worth adding that Australia can’t be that happy with their terms since they’ve been trying to negotiate a free-trade agreement with the EU since 2018.
It’s hard to imagine why the government hasn’t compiled any figures on the increased cost to business of restricting data flows. 11.5% of all cross border global data flows through the UK. Digital is worth 7.7% of the UK’s economy – £400 million a day. The finance sector alone, worth around 7% of UK economic output, is transferring data every day; and many of the tech giants including Facebook, Apple, Google and Microsoft have major operations in the UK that rely on frictionless data transfers.
More broadly, 75% of all the UK’s digital trade is with the EU – and this is now seriously compromised. We’re encountering outrage and confusion from businesses owners.
It is important for businesses to do their best in the face of the deadline – in order to prove to regulators by the end of the year that they have a roadmap and are meeting its milestones.
But the government must demonstrate some respect for the value of data transfers to the economy, and work much harder to protect the vast number of UK businesses that will be affected.
More about Securys here