A data disaster is approaching, and most businesses aren't ready for it

Data transfers from the EU to the UK might be unlawful in as soon as two months, but legal advisers and business owners are still in limbo when it comes to best practices.

GDPR: A basic introduction to EU’s digital privacy laws

"Don't laugh," warns Ethar Alali, the founder of Manchester-based technology and engineering firm Axelisys, "but I tend to be quite risk-averse, so I started planning for Brexit in November 2016."

There seems to be no reason to laugh. Four years later, with less than two months left before the UK leaves the EU, many businesses would probably envy Alali's foresight. 

Special Feature

Special Report: Managing the Multicloud (free PDF)

More companies than ever are using multiple cloud providers. In this special report, ZDNet provides best practices for managing multiple clouds, and practical advice for picking the right vendors and tools to help you manage a multicloud environment.

Read More

Based on the learned assumption that "as soon as politicians start touching things, they fall apart," Axelisys's founder soon anticipated that Brexit would come with a wealth of challenges. Alali's conclusion might have sounded radical at the time: for him, the best way to cope with most potential risks was to move parts of his company into the European bloc.

"Forget about deal or no deal," Alali tells ZDNet. "We reduced it to a simple question. Should we do nothing, and potentially have to deal with all the consequences of things that might happen in the future, or do we look at moving some of our company to the EU, thereby mitigating any risk on either side of the channel, whatever that risk will be?"

SEE: IT Data Center Green Energy Policy (TechRepublic Premium)

Axelisys's European counterpart, Axelisys OÜ, has now been operating since 2018. Today, Alali has many reasons to be glad for his decision; one of them, albeit not the most obvious one, is data transfers. 

The CEO started looking into data compliance about a year after the Brexit referendum. Axelisys is a digital services company, which assists businesses in developing new technologies of all kinds, ranging from interactive e-commerce websites to Alexa skills. With clients located around the world, managing digital information is an integral part of the company's daily operations.

Even without much official guidance, it seemed evident to Alali that Brexit would create some data flow problems. After months of planning, he decided to split the company's cloud presence between the UK and the new EU branch, irrespective of Brexit negotiations. In the face of uncertain politics, Alali played it safe: keeping EU data in the EU, and UK data in the UK, seemed the safest way of weathering any storm once Brexit came.

Some would say he made a wise move. The post-Brexit trade of goods and services between the EU and the UK seems top-of-mind, but data is another issue that will grow into a major sticking point for businesses if no deal is achieved with the European bloc before 1st January 2021.

What is GDPR?

Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses.

Read More

EU countries adhere to what is considered to be golden-standard rules when it comes to personal data protection, called the General Data Protection Regulation (GDPR). Personal data that belongs to EU citizens can, therefore, flow freely across borders within the bloc, since information is only sent to countries that are also enforcing GDPR, meaning that they will provide a high enough level of data protection.

If Brexit happens without a deal that addresses data, personal information will continue to travel unimpeded across the EU – except the UK won't be part of the game anymore. Unsurprisingly, the UK has confirmed that the personal data of UK citizens could continue to be sent freely to the EU. But from the very start of 2021, GDPR will cease to apply in the country; the issue will be to find alternative ways to import personal data from the EU into the UK.

For over two years, while still belonging to the EU, the UK has enforced GDPR; for this reason, it is hoped that the European bloc will recognize that the country provides an equivalent level of data protection, and continue to allow personal data to be sent to the UK. This is called an adequacy decision, which the EU has already granted to a select few countries, including Canada, Switzerland and Japan.

But while the UK government still claims that it is confident that an adequacy agreement will be reached, obtaining the EU's green light before Brexit day is in fact looking increasingly unlikely

Alali, after four years of planning, feels prepared for a no-deal, no-adequacy scenario. Axelisys now boasts both an EU datacenter and a UK datacenter, so that personal information can be processed in the correct location. Data is segregated as much as possible to stay clear of transfers from the EU to the UK, which might suddenly be unlawful from 1 January 2021.

If anything, the change has made Axelisys an international company, only hastening a development that Alali was hoping for. But unfortunately, this type of scenario is not the prospect awaiting every UK business. 

About three-quarters of the UK's digital trade is with the EU, across sectors ranging from financial services to e-commerce, through law, investors or healthcare. After decades of being a member state, most UK businesses don't give a second's thought to being able to freely send and receive information about EU citizens, be it for HR purposes or marketing projects. 

Now, those data transfers will have to be scrutinized. To make matters more complicated, every business has a unique set up of channels through which data can come and go, meaning that there is no one-size-fits-all procedure to inform the next steps. 

Angeliki Tsanta, a policy analyst at Brussels-based technology consultancy Inline Policy, tells ZDNet: "An online marketplace, like a bookstore, that is established in the UK and serving clients in the EU, will have to think of who buys what and from which IP address, what to do with their payment details and physical address."

"HR data about EU citizens sent to a centralized UK system would be an issue. If I go on a UK-established website that is using my data for advertising purposes, that is also problematic. So, this is going to affect many companies."

The Information Commissioner's Office (ICO) has drawn a rough guide to different scenarios; but the only general rule that applies is that from next year, every time a UK business processes personal data about an EU citizen, they will have to make sure that the appropriate schemes are in place to provide a level of protection that is legally equivalent to the GDPR. 

There is no industry that the issue won't impact. The British Bankers' Association has published advice to UK-based banks that might be providing services through a branch network in the EU, or using specialist data storage facilities on the continent – all of which will be problematic transactions after Brexit. 

SEE: AWS is opening yet another cloud computing region

Healthcare might face challenges, too: the NHS has confirmed that data about EU citizens that is used for clinical trials will be affected, and recommends "appropriate prior action". A UK-based hotel that receives EU customer information through a booking agency will need to think about additional measures; so will a UK law firm with a client base in the rest of the EU. 

Jeremy Stern is the CEO of UK-based small business PromoVeritas, which organizes online prize-drawing campaigns for larger brands, and ensures that the "instant-win" competitions that abound on social media are run legally. "So we have a ton of data, and ad data is crucial to what we do," says Stern.

With 40% of the company's income based on work conducted in Europe, Stern has been keeping a close eye on the regulations that could affect data transfers – and often felt like he was going down a rabbit hole. PromoVeritas organizes campaigns for multinationals that span multiple countries, with data returning to the company's UK-based servers through myriad different channels. 

"Say if we are running a French website on behalf of a campaign," explains Stern. "Will that French person entering the competition expect to see their data ending up in London? Probably not. That was not a problem when we were part of the EU, but after Brexit, it will be."

Stern is going to spend the next six weeks reviewing the contracts that he has with clients who have a base in Europe to figure out where amendments need to be made. 

For those transfers that will have to continue, the ICO advises firms to set up a standard contractual clause (SCC) – a contract signed between the sender and the receiver of personal data, and approved by an EU authority, which sets out how the data importer will protect information in a way that is GDPR-compliant. SCCs have to be signed for each individual data transfer, which means that companies will have to look through their data flows to dig out exactly which transactions will require a new contract.

Not only is the process burdensome, but it might not be enough. The UK's mass surveillance laws have been a point of contention for a number of years in EU courts, and extra measures might be required on top of SCCs to protect European citizens' data from across-the-Channel government snooping. 

Requiring supplementary measures – like encrypting or anonymizing EU citizens' personal data – from third-party countries wouldn't be unprecedented. The issue was at the heart of a recent ruling by the EU's Court of Justice against data transfers from the bloc to the US, called Schrems II. 

"Schrems II doesn't invalidate SCCs, but there is the question of whether or not supplementary measures will need to be put in place," says Loretta Pugh, partner at law firm CMS. "We haven't had any guidance on whether or not it will be necessary for the UK. So, the problem is that there are a lot of unknowns at the moment."

With less than two months before the deadline, legal advisers and businesses alike are still in limbo as to what to expect, and the best course of action is yet to be defined. 

Inevitably, smaller businesses will be those worst affected: while multinational companies can rely on large legal departments to anticipate the upcoming issues, SMEs aren't necessarily getting the right advice, nor are they aware that they should be. "They often don't even know this is an issue," says Pugh, "so they're pretty far from doing something about it."

SEE: 10 tech predictions that could mean huge changes ahead

Relying on official guidance doesn't seem to be an option. The UK government has so far counted on the prospect of securing adequacy with the EU, and little information has been given out about the possibility of failing to reach an agreement. In any case, with the decision ultimately in the hands of European regulators, it is difficult to advise before a formal decision is made in Brussels. 

PromoVeritas's Stern finds it hard to contain his frustration. The company's founder is spending his "nights and days" thinking about data compliance, while knowing that no exact answers can be reached yet. 

"I suppose the number one piece of guidance that would be nice to hear is that we won't be going to jail if we mean right, but no government is going to say that," says Stern. "I accept the need for regulation, but it's annoying when doubt and uncertainty linger around."

The time spent revising contracts, finding problems, and negotiating solutions with clients is a financial burden for a company the size of PromoVeritas. And while it is hard to tell how much a no-deal, no-adequacy scenario will cost individual businesses exactly, Stern finds it hard to find any benefits that Brexit could bring to counterbalance the data disruption.

"I don't really know what the upside is," he says. "You can only try to be positive, and if you can, act now."