• Mark Adams, Regional Director at Northern Europe at Cohesity


• 25.08.2021 05:00 pm
#data #management #business

By Mark Adams, Regional Director, Northern Europe at Cohesity

Brexit has caused severe headaches for business leaders charged with keeping operations running – and none more than for the financial services executives charged with keeping data flowing between the EU and the UK.

Experts were concerned late last year that a looming deadline would mean data transfers would become unlawful. The good news is that the European Commission published two draft data adequacy decisions, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive (LED), to allow for the continued transfer of personal data to the UK. The EU recently green-lighted the free flow of personal data with the UK.

Organisations across the EU and UK have welcomed the decision. But what does this decision mean for IT and business leaders tasked with managing and protecting data? Has international data transfer cleared a hurdle or are there still significant challenges ahead for financial services executives?

Making a move towards adequacy

The publication of the draft decisions by the EU earlier this year was the beginning of a process towards their adoption. This process involved obtaining the green light from representatives of the EU member states. Now this procedure is completed, the EU can proceed to adopt the adequacy decision – something that could have big implications for data transfer.

The movement of data is an integral part of modern financial services. Firms store and process data digitally as part of their operations, from managing corporate accounts to dealing with investments and onto preventing crime. This reliance on data movement means the adequacy decision is crucial for finance firms.

The adequacy decisions cover the flow of data from the EU to the UK. Data, of course, also flows in the other direction: from the UK to the EU. Those flows are regulated by UK legislation – and the UK had already decided that the EU ensures an adequate level of protection, given that EU law has shaped the UK's data protection regime for decades.

However, Brexit means the UK is no longer bound by EU privacy rules; leaving the EU meant the country effectively ceased to be protected by the GDPR. Without adequacy, EU member states would be unable to ensure data protection is enshrined in law – and that would create a whole series of complications for finance executives.

Businesses in both markets would have to set up complex alternative mechanisms to comply with GDPR rules on the flow of digital information. Economists estimate that the total cost of implementing those new contracts to keep data flowing legally could amount to £1.6 billion ($2.14 billion), with smaller firms hit the hardest.

That’s an unthinkable price to pay and that’s why the adequacy decisions are a big step forwards. As Věra Jourová, vice-president for values and transparency, at the EC suggested at the publication of the draft agreement: “Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel.”

The adequacy agreement is a big relief to business bosses who are concerned about the potential for disruption. But the battle is far from won. While the adoption of the drafts represents significant progress, there are still challenges to overcome. Executives should proceed with caution; it is imperative that organisations keep a tight grip on their data.

Recognising that equivalence is still required

Despite the EU's data adequacy decision, it’s probably still too early to assume that data will continue to flow as freely as it did before. There were originally concerns that the review process could lead to recommendations and restrictions. What’s more, the adequacy decision as published only applies to UK data law as it is written now.

The best course of action for business leaders in all sectors is to act as if it’s better to be safe than sorry. Yes, the adequacy decision paves the way for smoother data transfers but regulation is an almost constant work in progress. Therefore, managers should think about how data is shared and they should use standard contractual clauses to ensure flows are legitimised.

Any decision on adequacy must work for both the UK and EU member states. It must also work now and into the longer term, which is why the drafts included unambiguous and strict mechanisms around monitoring and reviewing adequacy.

The adopted drafts are valid for a first period of four years. After this time, it would be possible to renew the adequacy agreement – so long as the level of protection in the UK continues to be seen as adequate by the EU.

Many finance firms in the UK and EU put in place contingency measures to ensure continued access to markets before Brexit. Lessons can be learnt from the process thus far as finance firms and other businesses in the UK still have other data management challenges to overcome. Interestingly, other agreements are now being reached: the UK and Switzerland recently announced a mutual recognition agreement that would allow for reduced costs and lower barriers to entry for finance firms accessing each other’s markets.

Legal firm Farrer & Co suggests says now is the time for firms to consider the future and to focus on any decisions that may be granted in respect of financial services between the EU and the UK. It will take a keen eye to keep track of these changes, as things are changing on a monthly basis

Where do we go from here?

The data adequacy decision has helped international data transfers to clear a hurdle but other barriers remain, not least if the UK decides to take a different direction on data regulation and to diverge from GDPR. Doing so would create a whole new series of challenges for business leaders, both in terms of the regulatory bind and in terms of the working hours it would take to cope with new data laws.