Some of the dust has settled since the end of the bridging period following the UK’s official exit from the European Union, but there are still numerous issues to resolve. We looked into what the still-evolving relations between the two entities mean for businesses.
On the 31st December, the UK officially left the European Union. Over six months later, and with the bridging period now over, the post-Brexit landscape remains far from settled. For companies navigating the murky waters of new data privacy laws, supply chain regulations and the end of free movement – they are often left with more questions than answers. However, one thing is for sure: Brexit has changed the way in which businesses operate, and it’s imperative that organisations understand how they must remain compliant by changing with it.
Increased Data Regulation
The European Commission’s recent adequacy decision dated June 28th 2021 allows for the free transfer of personal data between the UK and the EU, without the need to resort to burdensome mechanisms for cross border data transfers. “This is great news for organisations on both ends of the English Channel,” notes Jakub Lewandowski, Global Data Governance Officer at Commvault. “GDPR aimed to strike a balance between, on one hand, the protection of fundamental rights and freedoms of data subjects and on the other, providing sufficient flexibility for businesses to operate and process personal data.
“Post-Brexit UK now has the possibility to redefine this balance by introducing new legislation. This might mean that in the years to come, we will see increasing discrepancies between the broadly understood UK’s and EU’s data protection regimes. It is important to note that there are certain constraints as well. The adequacy decision contains a built-in procedure for periodically reassessing whether the UK conforms with the requirement to provide adequate protection of personal data. The next such assessment will take place in 2025, creating a new wave of uncertainty for businesses.”
The decision will be reviewed in four years, notes Samantha Humphries, Head of Security Strategy EMEA at Exabeam. However, “until then, it’s business as usual. While it is good news UK companies do not have to immediately alter their data decisions or how they are currently storing and protecting their data, there needs to be clearer guidance from the government on the conversations around policy, and if it is really helping security.”
Reforms Are Needed
The recent TIGRR (Taskforce on Innovation, Growth and Regulatory reform) report has reported its recommendations to the Prime Minister on how the UK can reshape its approach to regulation and seize new opportunities from Brexit with its newfound regulatory freedom.
“Included in the report are calls from the Government for reforms on stronger rights and powers to consumers and citizens to place proper responsibility on companies using data,” highlights Michael Queenan, Co-Founder and Director at Nephos. “It has also muted GDPR as out of date especially when it comes to AI. So, what happens next?
“If applied correctly, reforms could be a huge improvement on what we have today and an opportunity for the UK to forge its own path when the sunset clause is up on our adequacy status from the European Commission. The terms simple, agile and proportionate are used positively, but I don’t think the value of consumer data should be used as a way to attract business or indeed as a saleable asset.
“The TIGRR report refers to using common law which, personally, I think is the wrong way to look at it. We need a fit for purpose UK Data Privacy Law directing how certain types of data should be classified, stored and processed. It should then state what companies are allowed to use consumer data for without the consumer’s individual consent, rather than a generic opt-in process. If you take cookies for example, most people just click accept when they come so they can get onto a particular website – not many people read the T&Cs.”
The recent TIGRR report has provided recommendations to the Prime Minister on how the UK can reshape its approach to regulation post-Brexit. What might happen?
What’s Next for Data Regulations?
“My expectation is that the ICT industry itself and the use of ICT technologies will become an increasingly regulated space,” notes Lewandowski. “That is why it is absolutely crucial to identify as early as possible any potential new requirements and prepare for the upcoming changes in the legal environment around data. Foremost though, businesses need to start thinking now – if they haven’t already – about ensuring their data processes are watertight, ready for any eventuality.”
“It is time to start applying approaches to data governance that are suited to the way data is being used now and putting data owners consent at its core for publicly used data,” Queenan adds. “We should all be responsible for our own data, not the companies that have access to it.”
Humphries suggests that cyber experts must also question the validity of these conversations. “Security is an ongoing process and needs to be involved as you innovate, not as an afterthought. We need to work on shifting the mindsets of those who still consider security a ‘tick box exercise’, and realise there is no one rule that fits all. Business leaders should secure their operations because it’s the right thing to do, not because of woolly regulation. And from the UK government, we need uncomplicated and cohesive guidance that makes sense for organisations, with clear expectations which are not open to interpretation.”
The recruitment market has also become increasingly competitive over the last six months, with over three in four UK executives claiming that it’s difficult to recruit people with the right technical skills. “As the war for talent intensifies, we are seeing a shift from company vs company towards country vs country,” explains Kathryn Barnes, Employment Counsel EMEA at Globalization Partners.
The end of free movement has had a significant knock-on effect on global mobility. Pre-Brexit, UK based employees had access to a huge talent pool of skilled workers. However, Barnes notes that six months on, the reality of bringing on new staff from overseas has become more complex.
“Any employer relying on workers from EU countries faces a set of hurdles, documentation, timescales, and not to mention the significant financial burden, that could put the brakes on their talent expansion plans. Furthermore, whilst Brexit marked the birth of the UK’s point based immigration system, it has made it increasingly difficult for UK companies to get employees to the UK – especially in the early stages of their career.”
As a result of the pandemic, the global talent pool has, however, become much wider now that we can work from home. Barnes concludes. “Whilst Brexit creates barriers where they need not exist, it has encouraged employers to seek new pathways to secure talent. An SaaS Employer of Record solution, for example, removes these barriers creating only opportunities for limitless expansion.”