UK companies could face a £1.6bn ($2.1bn) hit if the EU doesn’t deem the UK’s post-Brexit data protection standards adequate, according to new research.
If the UK fails to obtain an “adequacy decision” from the EU after Brexit data flows between the UK and the EU could be disrupted — costing UK companies between £1bn and £1.6bn, the research from the New Economics Foundation and the UCL European Institute found.
Data adequacy is where the European Commission certifies that countries outside the European Economic Area (EEA) provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
If the UK does not secure an adequacy agreement, micro, small and medium-sized businesses will be the most affected by costs, according to the report. The average compliance cost is estimated at £3,000 for micro, £10,000 for small, almost £20,000 for medium, and £163,000 for large businesses.
Costs could include legal fees and bureaucracy that “would deprive businesses of vital resources and investment in new technology, staff, and research and development at a time when both businesses and the UK economy are struggling. The impact could be particularly stark for the services sector, especially finance, digital technology and data centres,” the report found.
A data adequacy agreement with the EU is vital for British businesses, “from enabling online trade to powering media research collaboration.”
Failure to obtain the adequacy decision could also increase the risk of General Data Protection Regulation (GDPR) fines issued to UK companies, due to the new compliance requirements; reduce EU-UK trade, especially digital trade; reduce domestic and international business investment; and push businesses to relocate their functions, infrastructure and personnel outside the UK.
The European Court of Justice has recently tightened up the EU’s requirements for countries it shares personal data with. The report calls on the government to continue showing the EU how it meets standards for data adequacy.
The EU defines personal data as any information relating to an identified or identifiable person — including name, address, bank or health records, car registrations and photographs. Since May 2018, personal data within the EU has been protected through GDPR.
The report calls on the government to provide support and guidance for businesses to manage the cost of complying with EU data transfer rules in the case that an agreement is not obtained.
Oliver Patel, research associate at the UCL European Institute said: “In recent years, the European Court of Justice has taken a much tougher approach to restricting data transfers between the EU and other countries, much to the consternation of the business community. Post-Brexit, there is a risk that EU-UK data transfers could be targeted by activists and European courts, seeking to exploit the rigid EU rules in this area.”
Julian David, chief executive of TechUK, said: “The report provides a clear assessment of what we in the industry have known for a long time, that not reaching a data adequacy agreement will be hugely costly for UK business, and in particular SMEs.
“The UK must aim to be a leader in the new data-driven trading world and so achieving an adequacy agreement with our largest export market is key and will help us with our economic recovery from the COVID-19 pandemic.
“This, as well as the costs of failing to reach an agreement, underscores the vital importance of a data adequacy agreement and the need for the UK and the EU to work constructively together to achieve this outcome.”
WATCH: What is a no-deal Brexit and what are the potential consequences?