Time is running out ahead of new data rules. But many companies will struggle to be ready

The latest official advice for businesses is not preparing them effectively for the data issues that are looming.

21 October, 2020

"Time is running out. Act now," reads the government's tweet as it publishes new guidance for UK businesses to prepare ahead of Brexit day. With less than three months before the deadline, an official update now details the steps that organizations should take to make sure that data doesn't stop flowing between companies in the UK and their clients and suppliers in the EU on 1 January 2021 – with all of the chaotic consequences that the suspension of digital transfers would bring about. 

Various departments in the UK government have joined forces to lay out the actions that might be necessary to keep importing personal data once the country leaves the European bloc, and at the same time stops being protected by the EU's General Data Protection Regulation (GDPR).

Once the GDPR ceases to apply, and unless a specific deal is reached with the EU on the matter, the UK will be considered a third country by the bloc – meaning that European regulators will have to assess whether the level of data protection in place in the UK is sufficient to allow data to flow freely between the two zones. 

Until the EU grants this special status, called adequacy, UK businesses won't be able to import any personal data from European countries, which includes information ranging from names and delivery details to IP addresses or HR details such as payroll data.

"If the EU has not made adequacy decisions in respect of the UK before the end of the transition period," notes the government, "you should act if you want to ensure you can continue to lawfully receive personal data from EU/EEA businesses (and other organizations) in the future."

One of the transfer mechanisms that businesses should start to look at, according to the government, are standard contractual clauses (SCCs) – a set of terms and conditions that the sender and the receiver of personal data both sign up to for every data transfer, that is then approved by an official European regulator. Some organizations might also need to appoint EU-based representatives from January 2021 to liaise with local data protection authorities. 

There isn't much information on top of the new document to inform businesses on best practices to prepare ahead of the deadline. "The document doesn't go into very much detail about what you're actually supposed to do," Ben Rapp, the founder of privacy consultancy Securys, told ZDNet. "In a situation where the UK doesn't have adequacy, there is more to do than just relying on SCCs."

Convincing all the necessary signatories that European data will be protected safely in the UK will be a challenge, according to Rapp. 

What's more, the contracts include an obligatory right of cancellation that the exporter of data can trigger at any point, which means that data transfers, even if they are secured by an SCC, will always be at risk of being terminated, should one of the signatories decide that the safeguards in place in the UK are not equivalent to the rights granted under GDPR in the EU.

"You have to do this extraordinary job of demonstrating that the data importer – whoever you are sending data to in the UK –  is going to take appropriate steps to safeguard the rights and freedoms of European data subjects," said Rapp. "Except nobody really knows what those appropriate steps are, and whether they will be sufficient to convince European regulators that the transfer is safe."

The latest guidance published by the government is not up to the challenge that is mounting up and facing businesses, according to Rapp. One of the reasons that the document lacks detail might come down to the expectation that the UK will be granted adequacy before the country leaves the EU. As part of the advice, the government effectively states that it is "confident" that an adequacy decision can be concluded "by the end of the transition period." 

A DCMS spokesperson said: "We are completely committed to maintaining the highest data protection standards. The free flow of personal data is an important objective for both the UK and EU and talks with the Commission are ongoing on this front in a fast-moving process. It is only right that we prepare for every eventuality with published guidance for businesses alongside additional help on the Information Commissioner's Office website."

The adequacy decisions that the EU has already achieved with other third countries have taken up to five years to be settled upon. Recent events have also highlighted the EU's increasing wariness of data protection practices in the UK. For example, the EU's court of justice recently ruled that the bulk collection and retention of citizen data, which is currently legal in the UK thanks to the Investigatory Powers Act (IPA), was contrary to European law. 

Experts have warned that this is likely to come in the way of an adequacy decision being reached on time. "There's been extraordinary complacency from government in general around the likelihood of the UK to get adequacy," said Rapp. "The reality is that any UK business that relies for any reason on importing data from the EU should assume there isn't going to be adequacy and they need to do the work."

The latest guidance published by the government on post-Brexit data transfers, unfortunately, does not seem to match the size of the task at hand. "The fact is that we don't actually know how to legitimize transfers of data between the EU and third countries at the moment," said Rapp. "It kind of begs the question of: why publish anything at all? It seems to fall between two stools – both over-confident and under-helpful."