Delphotostock - Fotolia

Brexit and risks to data privacy and governance

EY privacy specialists assess the risks to data privacy, protection and governance on the table for businesses, with less than two months until Brexit

  • Paul Smith and Krittika Singh

Companies have been so preoccupied with the challenges presented by Covid-19 – delivering remote working overnight, getting people back into offices safely and securely, and potential job insecurities – that they have been distracted from Brexit. But with less than two months to go until the transition period ends on 31 December 2020, businesses find themselves with a series of data protection, privacy and governance challenges to overcome.

Even without Brexit, the data governance landscape has its challenges, and best practices still apply. However far along organisations are on their data protection journey, the UK preparing to leave the EU is an opportunity to take some key actions before the transition period ends to not get caught out.

Here are some of the considerations around data protection risks that organisations may not – but should – be prepared for before the turn of the year.

The movement of personal data between different locations is a crucial area for companies to consider. They need a clear view of the logistics around data transactions, where they store it and the rules and regulations as a result, especially (but not exclusively) how they interact with their customer base.

Transfers from the UK to other countries can continue under existing arrangements, at least for the time being. But companies in the EU need to be ready with answers to a range of data sharing and storage scenarios. Broadly these questions cover three key areas: Where can I store my data? Which countries can view my data? In which countries can I process the data?

Depending on the answers, organisations might need to consider technology solutions that provide the right level of governance and support concepts such as anonymisation or obfuscation (removing data) to enable them to continue to manage operations and performance.

Whichever applies, it is likely that businesses will need to update their documentation and privacy notice to expressly cover any resulting data transfers and formulate a communication plan to notify data subjects about updated privacy notices.

Think about your ecosystem

Companies must also consider their data ecosystem as part of their governance strategy. Engaging with third party organisations that form part of their supply chain is paramount so that transparency on data transactions is prevalent and compliance is adhered across jurisdictions.

Once again, responsibility expands beyond the processing one performs and so the same questions over sharing, viewing and processing data apply. Do a company’s contacts fall within the European Commission adequacy provisions or provide it with the safeguards it needs? Further, how is the company getting confidence around its compliance with those safeguards? Whether companies are using standard contractual clauses or more specific terms and conditions, these need to be right.

If the business is receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, transparency extends to knowing how the sender of the data will comply with its local laws on international transfers.

GDPR, PECR and other compliance initiatives

The interaction between key EU legislation – the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations (PECR), the eCommerce directive – and Brexit will introduce some complications that need to be considered before the end of the year.

These include the appointment of a representative in the EU, identification of an EU Supervisory ity (SA) as a lead ity, arrangements for a new EU-based Binding Corporate Rules Lead SA or accessibility of UK-based Data Protection Officer (DPO) to all data subjects in the EU. In addition, there is also the possibility that multi-jurisdictional fines will be imposed on material breaches of UK and EU data.

Organisations must take stock of the personal data they hold to distinguish between data acquired before the end of transition period and after in order to comply with EU data protection law or data protection provisions of a withdrawal agreement as the case may be.

While other compliance initiatives – such as PECR rules – will continue to apply the eCommerce Directive will no longer apply to the UK at the end of the transition period, hence organisations may have to ensure that they are compliant with relevant requirements in each EU country they operate in. Businesses need to be clear on about how they manage their compliance programme going forward especially as the UK and Europe have a two-tiered system in place.

Fundamentally, it remains vital that companies have the information they need to track where their data assets are and how data moves into, around and out of the organisation. GDPR provides the framework for businesses to manage this and making sure that it is working well and understood by staff will be key. 

Opportunity to reflect

On top of the regulatory requirements and the immediate response to Brexit, now is also an opportunity for businesses to reflect on the data they collect, consider what exactly it is used for, conduct early awareness training on Brexit implications for key functions to keep them abreast of the potential changes and decide whether to invest in technology to analyse it properly. For example, there are tools to anonymise data collected and perform analysis, while preserving anonymity of the individuals.

Brexit should not be about businesses stopping what they were previously doing, but ensuring that proper care is taken to meet the changed requirements.

Looking ahead

Ultimately, Brexit doesn’t change our responsibility for protecting individuals’ data, and it remains a fundamental and integral part of how the UK does business. What it does do is change the mechanisms we have previously relied on and perhaps requires businesses to have clear sight and understanding of what they are doing with their data.

The regulatory environment in the EU is also changing. The recent European Court of Justice ruling on launched a consultation into how companies use standard contractual clauses in response to the ruling. Companies should be alive to future changes to the regulatory environment governing data protection.

The regulator is only going to get more focused and therefore the world we live in today will be a far more regulated environment so that the UK continues to be competitive and protect consumer data.

Paul Smith is associate partner in risk advisory at EY UK&I; Krittika Singh is senior consultant in risk advisory at EY UK&I.

Content Continues Below

Read more on Privacy and data protection


  • The impact of blockchain in COVID-19 pandemic

    Organizations across several industries from healthcare to retail are turning to blockchain to help support critical business ...

  • Top 5 digital transformation trends of 2021

    In 2021, low-code, MLOps, multi-cloud management and data streaming will drive business agility and speed companies along in ...

  • Private 5G companies show major potential

    Companies across several vectors are deploying their own private 5G networks to solve business challenges. Here, experts dive ...


  • How to perform a cybersecurity risk assessment, step by step

    This five-step framework for performing a cybersecurity risk assessment will help your organization prevent and reduce costly ...

  • 6 common types of cyber attacks and how to prevent them

    To prevail in the battle against cybercrime, companies must understand how they are being attacked. Here are the six most ...

  • The enterprise case for implementing live-fire cyber skilling

    Companies continue to grapple with the cybersecurity skills gap, but Adi Dar offers a way to ensure security teams are properly ...


  • 5 networking startups helping enterprises adapt and prepare

    Even in a global pandemic, these five networking startups continue to impress. Learn how their innovative technologies can help ...

  • Private 5G networks to gain momentum in 2021

    Enterprises using industrial IoT devices are among the early adopters of private 5G networks, which could become an $8 billion ...

  • Ensure network resilience with redundancy and skills

    Ensuring network resilience doesn't just mean building redundancy in network infrastructure. It should also include planning ...


  • Server failure, Linux comprise 2020 data center management tips

    When you work in IT, you should consistently try to expand your knowledge base. This tip roundup explores recent content about ...

  • Smart UPS features for better backup power

    Vendors now offer UPSes with functions that help regulate voltage and maintain battery health. Before you upgrade, evaluate costs...

  • Data center market M&A deals hit new high in 2020

    This year proved to be a banner year for data center mergers and acquisitions with 113 deals valued at over $30 billion, a pace ...


  • What FAIR data management means for your enterprise

    The FAIR principles were made to promote the sharing of data in the research field, but their guidance can help organizations in ...

  • Emerging data management trends to watch in 2021

    A number of nascent efforts across the enterprise data landscape became manifest in 2020 that are likely to become larger trends ...

  • Data lineage documentation imperative to data quality

    Understanding the detailed journey of data elements throughout the data pipeline can help an enterprise maintain data quality and...