Head of Marketing at Griffith College Steven Roberts offers an opinion on Brexit and its potential impacts on small business owners.
Two of the most prominent business issues for Irish companies are set to collide over the coming weeks. The first is Brexit, which has long been on the radar of Irish small and medium businesses. It is now nearly three years since the UK voted to leave the EU. Brexit presents many challenges for company owners seeking to do business in the UK. However, one of the aspects SMEs may not have considered is the impact it will have from a data protection perspective, and in particular transfers of personal data to and from the UK.
Many SMEs outsource a range of functions to businesses based in Britain or Northern Ireland. Typically, these can include HR, IT and payroll. In other cases, firms use UK suppliers to provide marketing communications and CRM platforms. All of these will be affected by the UK’s withdrawal from the EU. It is important that SME owners consider the implications and take action in a timely manner to ensure compliance.
The second is data protection compliance. There is now significantly increased consumer and industry awareness of data protection and privacy, following the introduction of the General Data Protection Regulation (GDPR) in May of last year. The recent annual report from the Data Protection Commission bears this out. The report showed reports of data breaches increased by a very substantial 70% year on year for 2018. The number of complaints received by the DPC also increased substantially, up 56% from 2017 figures.
Businesses face a range of possible scenarios
One of the most difficult aspects of Brexit is the level of uncertainty it presents to businesses. No one can at this point say with any level of certitude what will happen. A range of scenarios remain plausible. These include at least three possible outcomes, namely:
1. A ‘no deal’ Brexit, whereby the UK exits the EU without an agreement on 12th April;
2. A deal is agreed between the UK and EU, with an orderly transition period;
3. An extension to the current deadline is agreed and Britain’s exit is delayed for a further period.
Each scenario presents a different set of data protection options for businesses. By far the worst is a ‘no deal’ Brexit. This would mean Britain immediately acquires the status of a ‘third country’ under GDPR. In that sense, it would be no different to a non-EU country such as Australia or Brazil. It would then have to seek an ‘adequacy decision’ from the EU, whereby the European Commission decides that a country meets adequate levels of data protection. Such decisions are in place with a range of nations globally, the most recent being Japan. However, firms expecting a quick resolution via an adequacy decision may be left waiting. Data privacy experts estimate the process could take up to 18 months.
The latter two scenarios – a deal with an orderly transition or a delay for an unspecified period –essentially see a continuation of the current status quo during that time, with Britain continuing to adhere to GDPR. Each would provide its own level of uncertainty as to post-Brexit data protection requirements and the timelines for when these would commence.
International data transfers
At present, Irish businesses can transfer data to Glasgow and Manchester as easily as to Galway or Mullingar. This will change once the UK leaves the EU. Under the new regime, SME owners will need to review existing transfer arrangements to ensure these remain GDPR compliant. Standard Contractual Clauses present one of the simplest and likely most common, solutions for most companies. These are model data protection clauses approved by the EU. When included in a legally binding contract, they allow for the free flow of personal data when embedded in a legally binding contract.
The EU is currently developing other mechanisms as part of GDPR. This includes codes of conduct and certification schemes. However, both are still underdevelopment and are not an immediate option for businesses to consider.
Another option is Binding Corporate Rules (BCRs). These are legally binding and enforceable internal rules and policies for data transfers within multinational companies. However, this will not be a viable option for the vast majority of small and medium sized firms, most of whom will not have a significant international presence.
Lastly, derogations also exist under GDPR, and could provide a short-term option in the event of a no-deal Brexit. There are six possible derogations to consider:
– If the business has obtained explicit consent to carry out the transfer of a consumer’s data;
– If it is required for completion or performance of a contract;
– If it is in the public interest;
– If a legal obligation exists;
– If it is in the vital interest of the data subject;
– If the firm can claim a legitimate business interest.
These come with a caveat however. The European Data Protection Board advises that derogations must be ‘interpreted restrictively’ and used mainly for activities that are ‘occasional and non-repetitive’.
The UK has advised it will transpose existing GDPR requirements into new laws, once Brexit has taken effect. While this will assist businesses in Britain sending personal data outward to the EU, it will not affect the EU’s designation of the UK as a third country.
Small and medium business owners face multiple demands on their time. The Data Protection Commission is currently seeking to raise awareness of the impact Brexit will have on GDPR compliance. The difficulty for many SME owners is in predicting with any accuracy the likely outcomes within a range of possible Brexit scenarios, and the timelines involved. Business owners are thus faced with the unenviable task of seeking to ensure compliance, with limited resources, against a background of a continually moving target. It will be interesting to see how SMEs respond and prepare for these challenges in the face of such uncertainty.
Steven Roberts is head of marketing for Griffith College. A certified data protection officer and fellow of the Chartered Institute of Marketing, he writes on strategy, marketing and data protection.
The opinions expressed are the author’s. They are not intended as a substitute for seeking professional legal advice.