Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Trading

Posted By Jessica Weisman-Pitts

Posted on March 14, 2022

Has international data transfer overcome its largest obstacle yet

By Mark Adams, Regional Sales Director, Northern Europe at Cohesity

Brexit has greatly impacted business leaders tasked with ensuring operations continue to run – and particularly so for financial services executives who keep data flowing between the EU and the UK.

There was concern from experts at the latter stage of last year when it became apparent that a looming deadline would result in data transfers becoming unlawful. The positive though is that the European Commission issued two draft data adequacy decisions, one under the General Data Protection Regulation (GDPR) and the other under the Law Enforcement Directive (LED), to allow for the transfer of personal data to the UK to continue. Only recently, the EU gave the green light for the free flow of personal data with the UK.

This has been a welcomed decision for organisations within the EU and UK. However, it’s important to understand what this decision means for IT and business leaders who manage and protect data. Has international data transfer overcome an obstacle or are there still notable challenges to overcome for financial services executives?

Transitioning to adequacy

The draft decisions announced by the EU at the beginning of this year are the start of a process towards their adoption. This process required the green light from representatives of the EU member states. As it is a complex procedure, the EU can begin to assume the adequacy decision – this has the potential for considerable implications for data transfer.

Moving data is a fundamental component of modern financial services. Data is digitally stored and processed as part of a firm’s operations, from leading corporate accounts to handling investments and onto crime interception. A dependence on data movement has meant that the adequacy decision is vital for finance firms.

The flow of data between the EU to the UK is covered by the adequacy decisions. Data, of course, also flows in the other direction: from the UK to the EU. Such flows are regulated by UK legislation, with the UK determining that the EU ensures a sufficient level of protection, particularly as EU law has helped define the UK’s data protection system for decades.

Brexit, however, has resulted in the UK being no longer bound by EU privacy rules; exiting the EU meant the country is no longer protected by the GDPR. In the absence of adequacy, EU member states could not have the assurance that data protection is enshrined in law, resulting in a host of difficulties for finance executives.

Complex alternative mechanisms would need to be established by companies in either market in order to comply with GDPR rules that cover the flow of digital information. It’s estimated by economists that the entire cost of executing those new contracts to ensure data continues to flow legally may amount to £1.6 billion ($2.14 billion), with smaller firms suffering the most.

It’s an inconceivable cost and one that highlights the reason why the adequacy decisions are a big step in the right direction. As Věra Jourová, vice-president for values and transparency, at the EC put forward at the announcement of the draft agreement: “Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel.”

For business bosses who are worried about the possibility of disruption, the adequacy agreement has been very welcome. However, the fight is far from over. While it is true that the adoption of the drafts signifies progress, there are still obstacles in the way. Executives should remain cautious; it is vital that organisations maintain a tight grip on their data.

Acknowledging that equivalence is still essential

In spite of the EU’s data adequacy decision, it’s likely still premature to presume that data will carry on flowing as freely as it previously did. To begin with there were concerns that the review process might result in recommendations and restrictions. Furthermore, the adequacy decision as published is only applicable to UK data law as it appears now.

For business leaders across all sectors it’s best to act in a risk-averse manner. Whilst the adequacy decision does clear the way for more straightforward data transfers, the regulation is an almost persistent work in progress. In conclusion, managers need to consider how data is shared and and should adopt standard contractual clauses to make certain that flows are legitimised.

All decisions on adequacy must be compatible with both the UK and EU member states. It must also work in the short and long run, which is why the drafts encompassed obvious and strict mechanisms around monitoring and reviewing adequacy.

The adopted drafts are in effect for an initial period of four years. Once this period has lapsed it would be possible to renew the adequacy agreement – assuming that the level of protection in the UK remains to be viewed as adequate by the EU.

A number of finance firms in the UK and EU implemented contingency measures to confirm continued access to markets before Brexit. To date the process has been a learning curve, as finance firms and other businesses in the UK continue to have other data management obstacles to overcome. What is interesting is that other agreements are now being made: only recently, the UK and Switzerland announced a mutual recognition agreement that would allow for a reduction in costs and lower barriers to entry for finance firms accessing each other’s markets.

Legal firm Farrer & Co suggests that the time is now for firms to contemplate the future and to concentrate on any decisions that might be permitted in accordance with financial services between the EU and the UK. It is no easy task however to keep track of these changes, as the situation is developing on a monthly basis

Looking ahead to the next steps

The data adequacy decision has helped aid international data transfers in overcoming an obstacle but other hindrances remain, not least if the UK considers taking a different course of direction on data regulation and to separate from GDPR. In doing so would generate an entirely new series of problems for business leaders, in terms of the regulatory bind and also regarding the working hours it would take to deal with new data laws.

In the short to medium term, business leaders in finance and throughout the economy need to establish where their data resides, recognise who has access to this information, and understand where it is processed. As the amount of data stored carries on rising, so do regulatory controls on the use of information also evolve and increase. Even those within the C-suite, not just solely legal and compliance teams, must continually keep an eye on these changes and be ready for any outcome when it comes to the management and protection of data, as the implications for any misjudgement are considerable.

Recommended for you

  • European shares flat after Christmas break; set for modest weekly gains

  • Finland boards oil tanker suspected of causing internet, power cable outages

  • Oil prices ease as markets weigh China stimulus hopes