By Leigh Bates and Conor MacManus
As firms now press ahead with their Brexit plans to move parts of their business to the EU-27 they face a number of challenges. Alongside the movement of people and logistics, firms are focussing heavily on governance, booking models, infrastructure, technology and data. Indeed the Prudential Regulation Authority (PRA) and Financial Policy Committee (FPC) have identified the management, sharing and protection of personal data between the UK and EU-27 post-Brexit as one of the key risks to financial services firms.
Firms’ potential inability to transfer data freely post-Brexit may seem like an obvious risk. Data is of fundamental importance to the business models of all financial services firms. Technology, infrastructure and automation all play a critical role in maintaining firms’ daily operations and informing their strategies. With evolving innovative technology, the effective use of data has even more potential than ever to improve firms’ business models.
Today personal data can be transferred cross-border in the European Economic Area (EEA). The freedom to transfer data across the EEA has been taken advantage of by firms, many of whom have taken steps to reduce data storage and processing costs by concentrating data centres in locations across the EU, outside of the UK.
The transfer of such data is governed by the Data Protection Directive (DPD) which sets minimum standards for the use of personal data. In May 2018 the DPD will be replaced by the General Data Protection Regulation (GDPR). The GDPR will strengthen the EU’s data protection rules further. Under the GDPR the European Commission (EC) will also have a role in determining whether the data protection regimes of non-EU countries should be deemed to be adequate, allowing firms to transmit personal data to those countries. But where the EC has not taken an adequacy decision, personal data can only be transferred if significant additional requirements are met, such as seeking consent of the individual for any cross-border transfer of their personal data.
The UK Government has stated it will not seek an adequacy ruling post-Brexit and will instead seek a bespoke agreement with the EU, a position which has potentially created even more uncertainty around future arrangements. But the UK Government has committed to continuing with the implementation of GDPR.
Brexit could have a significant impact on data transfers between the UK and other EU countries. Any transfer between the UK and the EU could be subject to restrictions and/or increased regulation and agreements the EU has reached with other countries that the UK can currently take advantage of may also be impacted.
Firms would be well advised to ensure they have a sound understanding of the nature of all their cross-border transactions and data flows into and out of the UK. There may not be time to react to the eventual outcome of trade and equivalence negotiations; action is required now.
What impact would a cliff edge Brexit have? Would it prevent transfer of personal data between the UK and EU-27? The implications could be significant, potentially undermining cross-border business models. UK firms hosting data in the EU may need to repatriate data to the UK, while EU firms operating in the UK may need to repatriate data to EU-located data centres – no small task.
Financial services firms should be taking steps now to understand what data challenges Brexit may pose and the degree to which they are likely to be affected if the free transfer of personal data cross-border in the EU is no longer possible. While the best outcome for firms in the UK and EU-27 would undoubtedly be an agreement which allowed continued seamless transfer of data, we should all be prepared for a different outcome.