With the deadline for the UK's Brexit decision now put back to October 31, businesses might well view Halloween 2019 with terror. With data processing and storage so vital for many sectors, the question of how Brexit will affect data movement across borders is a significant one.
A Google search for the words "Brexit" and "Uncertainty" delivers more than 27 million results. On the other hand, you'll find just seven million results for "Brexit" and "Clarity" and a quick scan of those finds that they concern "lack of clarity". If there's one iron rule of Brexit it's that nobody knows anything.
There are, broadly, four possible outcomes on or before October 31. For our purposes, we can ignore two: if the process is delayed beyond October 31 or if the UK somehow decides to stay in the EU or revoke Article 50 for a longer rethink, then nothing really changes.
Deal or No Deal?
There are two relevant scenarios: A no deal Brexit or a departure with a deal. Let's start with the deal, since that is what both sides want to achieve before the new deadline.
Currently, as an EU member, the UK is subject to data regulations, such as GDPR, that have been assembled over several years. These regulations allow data transfers between the UK and the EU, and vice versa. But they also cover data moving between the EU and elsewhere. Tearing them up affects the UK's agreements with the EU but also any other country to which it might send data.
Perhaps your company stores its data in the EU, or you have customers there. In either case, you could find it difficult to process that data in the UK.
If the UK leaves with a deal, then existing regulations should continue to apply during a planned transition period. Under the original schedule, with the UK leaving at the end of March 2019, this period was due to last for 21 months - until the end of 2020. During that time, data would flow as usual, while regulations are renegotiated. In theory, businesses should then have plenty of warning of the new regulations - whatever they might be - and could plan accordingly. But there is a lot to renegotiate and it's not impossible that the transition period could be extended or that some negotiations would happen with the UK outside the EU.
In the event of a no deal Brexit, the UK Government has already confirmed that it will not restrict businesses from sending data to the EU. However, the UK cannot set regulations for data coming the other way. Much will depend on how the EU views the UK.
An adequate compromise
The UK needs "adequacy" status to show that it meets EU standards and data can continue to flow. Only a handful of countries have adequacy status, however, so it is not a given, particularly if the EU takes the view that the UK will use its departure as a chance to cut regulation, for example around data privacy.
Optimists say that securing adequacy status will take a few months, but the EU's data protection supervisor has warned that it could take years and the UK will have to join the queue behind countries that are already trying to get an adequacy decision.
In that case, businesses will face substantial disruption. Furthermore, adequacy status is unsatisfactory because it can be revoked at any time. Ideally, UK businesses would want some kind of regulatory cooperation on data, but this would take time to agree. Meanwhile, the UK would be simultaneously checking its regulatory compliance with the US and other nations with which it does a lot of business.
Any company that hasn't done it already needs to follow the ICO's six steps to take for leaving the EU. These include maintaining current compliance standards and conducting a thorough review of data flows and structures.
Some companies have opted to duplicate their data operations in Europe - for example in Dublin or Amsterdam - and simply treat the UK as if it is already outside the EU. This is costly and time-consuming, so it isn't an option for every company.
For companies that use third parties to store their data, it can be important to ensure that data does not cross borders or change jurisdictions. This could now be a problem with the EU, which has led to some suppliers adding the UK as a separate zone for data compliance. Box, for example, did so back in January.
Businesses like to minimise uncertainty as much as possible, which is what makes the current situation so frustrating. Unfortunately, as Google will tell you, Brexit and uncertainty go together like Halloween and pumpkins.