UK post-Brexit risks – data protection and transfer; EEA customers

UK post-Brexit risks – data protection and transfer; EEA customers – February 2021

UK post-Brexit risks – data protection and transfer; EEA customers – February 2021


  • On 24 December 2020, the UK and EU announced that a free trade deal had been reached after many months of negotiations and delays
  • The “EU-UK Trade and Co-operation Agreement” (TCA) contains almost no clarity for any topics relevant to UK financial services
  • No clarity or solutions will be available until at least the end of March 2021 after the next set of negotiations is held between the UK and EU
  • This summary seeks to summarise some of the key points about what is known and what remains unknown; further changes are inevitable and needed

Regulatory Updates – a summary

Many regulatory changes impacting UK financial services activities started from 1 January 2021.   Some changes are immediate; others contain a short transition period.

All of these risks need to be analysed for their potential impact and then suitably mitigated.   Plan for the worst case and develop adequate contingency arrangements.   Strengthen all aspects of resilience for your business activities and related tasks.

Broad perspective for post-Brexit risk environment

With the loss of all passporting rights, all future business in the EU requires UK firms to negotiate rules and permissions in every EU state, individually or together if possible.

Under the terms of the TCA, the UK and the EU have committed to agreeing a Memorandum of Understanding relating to financial services regulation by March 31, 2021, establishing a framework for regulatory co-operation on financial services.   It also commits both parties to tackling international financial crime and tax evasion.

In his February 2021 Mansion House speech, the Bank of England governor Andrew Bailey said that, although the UK and EU are working towards a March deadline to agree an “equivalence” regime under which each would recognise the other’s regulations, “EU demands had so far been unreasonable”.

This comment follows the EU’s fears that the UK will adopt a low-regulation “Singapore-style” model that would undercut the EU.   The Bank’s governor stated that in his speech that, while some rules would change post-Brexit, sudden deregulation was not planned.

Data protection and data transfer

  • Data protection is very important for business activities. All firms must think about where data are processed and stored.   The UK has confirmed the acceptability of firms transferring data to the EU but there has so far been no reciprocal confirmation that the UK would be “adequate” for data transfers from the EU.
  • If the EU does not grant data adequacy to the UK, companies that want to transfer data from the EU to the UK may not have a legal basis on which to do so. This will affect many thousands of companies.
  • Until such equivalence is granted, firms need to put in place alternative arrangements to comply with GDPR and the UK Data Protection Act (DPA) to ensure a high standard of protection for individuals’ personal data.
  • The TCA states that data flows will continue as normal for (possibly) four to six months from 1 January 2021 and then the EU will make a “data adequacy” ruling. This implies that uncertainty may continue until at least June 2021, impacting all cross-border transfers and uses of electronic data.
  • Uncertainties remain until all related rulings including detailed requirements are made by the EU and the UK. The continuing absence of an adequacy decision would mean that it would become more difficult to store the data of private EU citizens on UK-based servers.
  • There is a similar concern over the handling of data. It had been hoped that the EU would take an early decision to approve the adequacy of British data protection but it has not yet done so.
  • Some important pressure groups within the EU remain dubious about Anglo-Saxon commitment to data privacy and the EU has previously criticised British and American protection of personal data.

Continued supply of UK-based financial services to EEA-resident customers

  • Since 1 January 2021, all UK firms that previously conducted retail business in the EEA countries have been unable to do so. Firms can no longer support any EU-resident customers from their UK offices and operations.
  • Retail banking services including lending, payments and deposit-taking will not be included in any equivalence decisions that may be taken by the EU.
  • The EU has for now dismissed any reciprocal temporary permissions regime with the UK for such services. Instead, the UK has become a “third country” with far greater restrictions upon all its EU-focused financial services activities.
  • UK firms need to understand all relevant EU local regulations and take legal advice.
  • There may be significant disruption to business activities and related adverse publicity if retail customers or corporate customers are disadvantaged.
  • Firms need to consider alternate operational practices and potential for revenue losses due to business activities being illegal in their previous (pre-2021) formats.

Timeline with relevant dates to be logged on regulatory calendar

  • The next set of EU-UK clarifications is expected by 31 March 2021

Next steps

All firms need to continue their detailed planning and research for all impacts on their business activities, employees, stakeholders and clients.

If anyone has specific questions or needs any advice, contact our specialists.

Click here to contact our experts

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>