Whichever outcome it may be ultimately, we believe that companies should not be too comfortable that the current status will sustain and instead should be proactive in exploring measures to mitigate any risk of the ‘adequacy’ status being revoked by the EU. Such exploratory exercises can be in the form of future scenario modelling which encapsulate each outcome and offer alternative approaches for data processing.
Assuming a no ‘adequacy’ status between the EU and UK, organisations would face a significant administrative hurdle with the handling of EU data-subjects’ data; especially given that three-quarters of the UK’s international data flows are with the EU. All aspects of information processing and transfer that relates to an identified or identifiable individual living in the EU such as names, IP addresses, HR details, or even delivery details, would require examining, and in most cases, it would be necessary to put in place specific contracts called Standard Contractual Clauses (SCCs). SCCs have to be signed by both the sender and the receiver of data in a contract covering the specifics of the data to be transferred, and place significant technical and legal obligations on the receiver. The cost of implementing appropriate data transfer mechanisms like SCCs at a company-wide scale is high: recent reports from the New Economic Foundation estimate that the overall cost to UK businesses could reach £1.6 billion.
Click the button below to read more.