The cost to UK businesses of not receiving an adequacy decision from the European Commission could total between £1 billion and £1.6 billion, according to a new report by think tank New Economics Foundation and UCL European Institute.

The report, compiled from interviews with 60 EU and UK legal professionals, data protection officers, business representatives and academics, estimates average costs for impacted businesses could reach £3,000 for a micro business, £10,000 for a small business, £19,555 for a medium business and £162,790 for a large business.

These costs would arise from compliance obligations, such as establishing standard contractual clauses (SCCs), to maintain data flows in the absence of an adequacy decision from the European Commission recognising the UK’s data protection regime as adequate in protecting European data subjects’ rights.

The lack of an adequacy decision could also mean that businesses must weather more risk of GDPR fines; reduction in EU-UK trade (particularly digital); reduced domestic and international investment; and the relocation of business functions, infrastructure, and staff outside of the UK, the report predicts.

Seven potential mitigations that the UK government could undertake are recommended by the report:

  • make data and modelling tools available to support empirical research on the social and economic impacts of data protection, digital trade, and the value of data flows
  • update its published ‘Explanatory Framework for Adequacy Discussions’ in the light of recent CJEU rulings
  • further explain how potential changes to the UK’s data protection regime referenced in the UK National Data Strategy will strengthen the rights of UK and EU citizens
  • consider the impact and implications of future trade agreements on data protection
  • continue to raise awareness among the UK and EU business communities of the risks and costs of a lack of adequacy
  • provide tools to enable UK organisations to continue to use SCCs
  • allocate funds for UK businesses, such as SMEs, to assist in compliance.

The UK seeks an adequacy decision to govern data transfers from the EU to the UK after the Brexit transition period ends on 31st December. But recent court rulings have raised concerns over the potential impact of the British national security and surveillance regime, as well as its future relationship with the US.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox.

Topics