As we enter the new year, banks will already be working flat out on gearing up for GDPR – an EU-wide regulatory package that marks a step change on data protection policy.
If 2017 was the year of MiFID II preparations, 2018 will be a time of data audits and system changes to be ready for General Data Protection Regulation (to give it its full title). But even as banks across Europe get ready for the implementation date in May, the prospect of Brexit less than a year later stands to undermine their careful preparations.
Transfers of data from one country to another happen as a matter of course for pan-European banks. Firms may have a presence in several countries but will often manage certain functions such as HR or financial crime monitoring from a centralised location. Therefore, being able to freely share personal data is essential for day to day operations.
The UK, like all EU member states, will be subject to GDPR rules from 25 May 2018, and cross-border data transfers will be able to continue as normal. But when the UK leaves the EU just 10 months later in March 2019, that could create a significant problem.
At that point the UK becomes a ‘third country’ (in the technical jargon), which means its data protection framework will no longer automatically be deemed sufficient by EU regulators. This could pose a significant challenge for pan-European firms that have built their business models around operating across the EU27 and the UK. Without overcoming some pretty stringent legal hurdles firms would have to stop transferring data or face hefty fines for non-compliance.
A cliff edge can still be avoided. But for this to happen the EU27 and the UK must take advantage of a mechanism within GDPR that would allow EU27 and UK regulators to approve such transfers.
If the European Commission deems a third country to have an ‘adequate’ data protection framework in place, then data transfers between Europe and that third country could continue uninhibited. Given that the UK will have such a similar legal framework to EU data rules (indeed, the EU (withdrawal) Bill will ensure that the UK will continue to comply with GDPR rules even after it has left the EU) there is a strong case for the Commission to agree to such treatment. The UK should also agree the same in reverse to enable UK-EU data transfers.
The alternatives, such as amending contracts to permit cross-border data transfers, will put the onus onto individual firms to make appropriate arrangements, which risk not being put in place in the time available in the run-up to Brexit. This will create a huge amount of extra work and complexity, and could also leave institutions open to legal challenges. It would also come at a time when firms had already put significant effort into complying with the GDPR rules, as well as grappling with other causes of Brexit disruption.
In short, mutual adequacy would be a simple, robust and all-encompassing solution in an area where the UK and EU27 will have very similar legal frameworks.
Time is short to get agreement, so both parties should press ahead. Both sides should begin adequacy assessments as soon as possible and data transfers should be included in any transitional arrangements to ensure there is no cliff edge on 30 March 2019. Otherwise, what on the surface could seem a relatively arcane issue, could cause significant operational problems.
*This opinion was originally published in City AM on 1 February 2018