Brexit and GDPR Compliance: The True Costs for Businesses

the cost of compliance in case of brexit

As the end of the year approaches, UK business owners still await an adequacy decision from the EU. However, a favorable decision is by no means guaranteed or even likely, which is why companies need to start preparing for changes in how their staff transfers information between the EU and UK. We’ll look at a study completed by the New Economics Foundation (NEF) that analyzes the true costs of Brexit for businesses and what the government can do to assist in this matter.  

Aggregate Costs 

When we look at the aggregate figures for UK firms, the NEF has predicted the cost of GDPR compliance will be somewhere between £1 billion and £1.6 billion. This is a conservative estimate, but it does cover both labor and the costs of goods and services. So this might include anything from purchasing new compliance software to hiring an independent auditor to ensure proper precautions are being taken. Broken down, the NEF believes it will cost micro-businesses £3,000, small businesses £10,000, medium businesses £19,555, and large businesses £162,790. 

Economic Implications 

Without an adequacy decision, we’ll likely see:

  • More compliance violations
  • Businesses transferring outside of the UK
  • Reduction in UK-EU trade
  • Reduction in domestic and international investment 

The additional restrictions placed on UK businesses due to Brexit will be difficult to implement. The odds of making an error are high, which increases the odds of GDPR fines due to compliance failures. Between the hassle and risk, it’s no surprise economists are predicting that many business owners will wash their hands entirely of the situation. Whether they break off partnerships or establish their business in a new country, these reactions will have lasting implications on the economy. 

7 Recommendations 

The NEF has made seven recommendations for the government to help businesses streamline the transition and reduce confusion surrounding the new parameters. 

1. Use Empirical Data 

There are sizable gaps in how we study the effects of data protection. The NEF recommends that the government creates better data and modeling tools and makes them more available. From digital trade to data flows, this can help officials understand which measures are working, what needs to be adjusted, and what needs to be eliminated altogether. In turn, this should improve public policy for businesses and encourage engagement among affected parties. 

2. Update Adequacy Discussions 

The government has already issued an Explanatory Framework for Adequacy Discussions. The content in it states that the UK is committed to maintaining a data protection system aligned with that of the EU’s GDPR. The government also states its intentions of developing its own system as well. If the UK wants its system to be judged as adequate and in accordance with the EU’s standards, it needs to provide clear evidence as to how it will protect data subjects’ rights. (This should be done both at the domestic and trade agreement levels.)

3.  Detailed Explanations 

The UK government has already outlined its data protection regime in the National Data Strategy. However, the NEF believes it needs more information about how exactly officials will support the rights of UK and EU citizens. As the EU considers the plan, officials will require clear and logical explanations to support the government’s thesis. Augmenting data privacy rights is a complicated job, one that has to account for countless factors. If the EU feels that these elements are not sufficiently addressed, the organisation will be more likely to dismiss the UK’s efforts. 

4. Review the Reality 

The true burden of Brexit still remains to be seen and these preliminary estimates only go so far as to cover the eventual realities. However, the UK should be weighing the trade-offs of data flows beyond its borders right now. Officials should look into what this will mean for trade agreements, and how they can support businesses if they’re unable to receive an adequacy decision from the EU. (Many businesses will be hard-pressed to take all necessary precautions, especially when COVID-19 is still wreaking havoc with the economy.)

5. Raise Awareness 

Businesses everywhere are struggling to keep their heads above water, and unfortunately, many are minimizing or even ignoring the impact of Brexit on data protection. The government should be raising awareness within the business community, regardless of whether the business is in the UK or EU. This will be a delicate matter as business owners are unlikely to respond well to new demands right now. The government will need to stress the importance of this matter, both in terms of the inherent privacy rights of individuals as well as possible penalties for breaking the rules. 

6. Provide Practical Tools 

There are several data transmission mechanisms proposed by the EU, though Standard Contractual Clauses (SCCs) continue to be the most popular. These mechanisms are relatively technical and dependent on the nature of the transfer. The UK should be providing simple tools that organisations can use to carry out SCCs or other transferring mechanisms. Some methods will require official approval, so it’s critical for businesses to pay attention before they come under an investigation. 

7. Set Aside Funds for Businesses 

Businesses should not be forced to bear the burden of every Brexit cost. If the government has a reserve fund, particularly for small and medium businesses, it will make it easier for enterprises to power through this transition period. 

How GDPR365 Can Help

The absence of an adequacy decision won’t be ideal, but it’s also not a death sentence for the economy. Having the right tools at your disposal can help you cope with what’s ahead, regardless of whether the government steps in or not. 

GDPR365 software is implementing prompts to help business owners and staff remain compliant. The system first asks you to choose a legal basis for your export (likely SCC). Should you or your staff select this, you’ll find a link to the European Data Protection Board website. This allows the user to confirm whether the contract fits the terms for SCCs before they proceed. When the new SCC terms are finalised, the link will reflect the latest regulations. These links are country-specific and updated in real-time. 

GDPR365 offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR). Click now on the button below to book a demo and see our software can speed up your compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *