Businesses face an aggregate cost of between £1 billion and £1.6 billion if no data adequacy agreement is reached between Europe and the UK as they scramble to adapt to data flow disruption.
Once the Brexit transition period ends on 31 December, the legal basis for transferring personal data between the UK and EU member states fundamentally changes. Though UK businesses can still transfer data to the EU, an adequacy agreement needs to be reached in order to ensure the continued flow of data from the EU to the UK.
Failing that, organisations face high costs that stem from the need to invest in compliance obligations, such as standard contractual clauses (SCCs) which need to be set up individually to ensure the continued flow of data.
This is according to academic modelling by UCL and the New Economics Foundation (NEF), which projects the need for additional spending on behalf of businesses to comply with the new reality post-Brexit.
Although the Data Protection Act 2018 largely enshrined the principles of GDPR into UK law, an adequacy agreement isn’t guaranteed, and various factors could influence the EU’s decision. Among these are how willing the UK may be to bend the strict data protection principles when negotiating the terms of any future trade deal with the US.
The additional expenditure represents the money that companies would have been free to spend on other areas of the business that they’ll instead be forced to channel into compliance activities, or investing in goods and services.
The modelling has broken down the projected costs businesses of particular sizes could face, ranging from £3,000 for a micro business to £162,790 for a large business. Small businesses face roughly £10,000 in additional compliance costs, with the figure rising to £19,555 for a medium-sized firm.
In addition to these costs, no adequacy decision would have further economic consequences, including the increased risk of GDPR fines, reduction in EU-UK trade, reduced investment, and the relocation of business functions, infrastructure and personnel.
“The combination of a potential no-deal Brexit, coupled with the ongoing Covid-19 pandemic, means that business and the economy can ill afford more cost, complexity, and risk,” the report said. “Although the adequacy decision is in the hands of the European Commission, the UK government still has a large part to play.
“All parties hope that the outcome of the last few years of Brexit negotiations will be a comprehensive partnership agreement. This will be an important achievement of huge social and economic significance. Without a wider agreement on the future relationship, adequacy will be very hard to attain.”
UCL and REF also issued seven recommendations that the government should follow to make life as easy as possible for UK businesses concerned or anxious about the impact of no adequacy agreement post-Brexit.
Among these directives, the government should explain how the changes to the UK’s data protection regime will also strengthen and enhance the rights of UK citizens, and also consider the impact of future trade deals on data protection.
The government should also strengthen measures to support businesses. These include raising awareness of the risks a lack of adequacy agreement, provide simple tools to allow UK organisations to continue to use SCCs, as well as setting aside funds to ensure that struggling businesses can afford to comply with the new requirements.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.