Businesses in the UK could be hit with up to £1.6 billion ($2.14 billion) worth of extra costs just to make sure that data can continue to flow legally with the European Union from the start of 2021, unless a deal is achieved on the issue in time for the Brexit deadline.
A new report from the New Economics Foundation, together with University College London’s (UCL) Europe Institute, found that between legal expenses and new compliance mechanisms, businesses could end up facing large bills to comply with European data protection law in a no-deal scenario.
The researchers estimated that compliance costs will range from an average £3,000 ($4,000) for a micro business to almost £163,000 ($218,000) for a large company. Inevitably, smaller firms with no legal departments and fewer financial resources will be less prepared for, and therefore harder hit by, the new requirements.
As the UK exits the EU on 1st January 2021, so will the country leave the bloc’s common set of data protection rules known as the General Data Protection Regulation (GDPR). The GDPR enables the personal data of EU citizens to travel freely across borders since information is processed in countries that all adhere to the same regulation. As soon as the UK leaves the EU, it will also cease to be part of the GDPR-covered zone – and other mechanisms will be necessary to allow data to move between the two zones.
The UK government, for its part, has already green-lighted the free flow of digital information from the UK to the EU, and has made it clear that it hopes the EU will return the favor. This would be called an adequacy agreement – a recognition that UK laws can adequately protect the personal data of EU citizens. But whether the UK will be granted adequacy is still up for debate, with just over one month to go.
If no deal is achieved on data transfers, companies that rely on EU data will need to look at alternative solutions. These include standard contractual clauses (SCCs), for example, which are signed contracts between the sender and the receiver of personal data that are approved by an EU authority, and need to be drawn for each individual data transfer.
SCCs are likely to be the go-to data transfer mechanism in the “overwhelming majority of cases,” according to the report, and drafting the contracts for every single relevant data exchange will represent a costly bureaucratic and legal exercise for many firms. UCL’s researchers estimated, for example, that the London-based university would have to amend and update over 5,000 contracts.
What’s more, warned the report, SCCs are more than standard terms that can be inserted directly into contracts. The process is complex, and will require mapping all of a company’s data transfers, conducting risk assessments, and engaging legal experts for advice and guidance.
“It’s not good enough to put the text in the contract, and that’s it,” Duncan McCann, senior researcher at the New Economics Foundation and co-author of the report, told ZDNet. “There needs to be a real risk assessment of the country that the data is going into, to make sure the SCC has some validity.”
Because of this complexity, there has been no previous attempt to estimate how much new compliance mechanisms will cost, should the UK crash out of the EU without a deal on data transfers. The researchers anticipated that overall, businesses will be spending between £1 billion ($1.34 billion) and £1.6 billion ($2.14 billion) if no adequacy decision is achieved, but warned that the number should be interpreted with caution. In many cases, said the report, the costs could be higher, and a greater number of companies are likely to be affected.
For many companies that are already coping with the consequences of the Covid-19 pandemic while trying to prepare for the wider implications of Brexit, the possibility that some data transfers with the EU might be unlawful from the start of 2021 will come as bad news. Those most likely to be disproportionately affected, explained McCann, are small and medium enterprises.
“Few SMEs have skills in-house,” he argued. “They’ll be contracting lawyers and experts, which has costs. This will be a drain on their already dwindling capital, and it won’t even go towards boosting efficiencies or increasing savings. We’ll be asking them to spend all that money just to maintain the status quo.”
The cost of SCCs is only the short-term economic consequence that data “inadequacy” might bring about. If personal data transfers from the EU to the UK become unlawful, UK businesses might also struggle to remain competitive, as EU organizations turn to EU-based services that don’t carry the complexity and risk of SCCs.
Of the UK’s international data flows, 75% are with the EU. Some sectors, like financial services, IT or insurance, are delivered mostly digitally, and could be hugely affected if data flows slow down. While quantifying the impact of data inadequacy is difficult, therefore, the report concluded that reducing data transfers between the EU and the UK has the potential to undermine the competitiveness of key UK services and digital technology sectors.
John Llewellyn, an economist and former head of international forecasting at the OECD, told ZDNet: “Of course, the cost of these things is immeasurable because you can’t tell how many organizations would have imported data and, in the case of inadequacy, won’t anymore. But there is room for a rude shock.”
The latest report from UCL and the New Economics Foundation recommended that the UK government continue to raise awareness of the risks and costs of a lack of adequacy within the business community, and that practical tools be designed for organizations to prepare. The researchers also called for funds to be set aside, especially for SMEs, to help businesses cope with the cost of new requirements.