What would a no-deal Brexit mean for UK digital business?

The data-related stumbling blocks post-Brexit may be self-created by the UK government and businesses themselves.
19 August 2019

Boris Johnson in Brussels. Source: Shutterstock

With a no-deal Brexit potentially on the cards, the short-term concerns of many UK citizens and their government may include medicine shortages, unsafe drinking water, a return to civil war in Northern Ireland, rocketing food prices and widespread civil unrest.

For digital businesses and organizations, the longer-term consequences of the country crashing out of the EU may also create a situation analogous to the predicted logjams at airports, seaports, and the Channel Tunnel. But rather than queues of lorries, data-driven businesses may be looking at the imposition of information flow and storage restrictions.

At present, the UK operates under the auspices of GDPR, with all the stipulations and strictures that are well-publicized. The UK government enacted GDPR in the form of the 2018 Data Protection Act, which will, of course, continue to be in force after the UK leaves the EU. From that point, however, the UK will become, in terms of the GDPR, a “Third Country.”

That means as a nation, its data and information practices will need to be assessed by the EU before it can be granted “adequacy” status. Adequacy is a virtual badge which would ensure data on or pertaining to EU citizens (for instance) could be held by UK-based organizations, and ensure— to coin a phrase— business as usual.

Post-Brexit data protection issues

There are three potential flies in the ointment that have the capability to have a negative impact of the ‘free-flow’ of digitized information into and out of the UK which organizations need to be aware of:

Adequacy as a status is something that will take many months, if not a year or more, to achieve. There is a possibility, therefore, that the EU may place strictures on information about its citizens being held on UK soil. That will have significant effects of data businesses that currently use UK data centers or in-house data repositories.

The current mounting concern about the use of unregulated surveillance in the UK by private companies may hamper the country’s application for ‘Adequacy’. Under GDPR, companies that wish to use facial recognition systems need to have a good reason to do so, and nebulous claims of “security” are unlikely to cut it.

The UK government itself also may be creating further problems for its citizens and businesses trying to operate post-Brexit. The EU has long been unhappy with the UK’s Investigatory Powers Act, which may prove to be an “inadequacy” (the EU may use the issue to pressure the UK into dropping or significantly amending the Act). Additionally, the UK government’s decision to prevent asylum seekers to the country accessing the data held on them is in contravention of EU regulations.

No-deal Brexit or New Deal Brexit?

At the time of writing, the UK government is attempting to begin negotiations to attempt to get a new deal for Brexit ratified and in place by the October deadline, so such an agreement may contain a framework in which there will be clear guidance for UK businesses.

Unfortunately, a lack of clear guidance means that there is a huge degree of uncertainty as to how things will be affected by the UK’s decision to leave the EU. The only certainty is that there will be little special provision for organizations whose lifeblood is data, in the same way that there is no guarantee of special provision for pharma, farming, or any other industry sector post-October 2019.