Brexit and its ramifications for the UK seem to be the only topic that anyone is interested in Britain right now and even the entire world is looking towards the country – while holding their breaths – in anticipation that what will be the consequences of the divorce between EU. This separation of UK from the European Union will Impact businesses of all sorts, operating within the jurisdictional bounds of the country who have to adapt to the changing free trade agreements between the EU and the UK currently happening.

Brexit affects businesses from across all sectors, one of them being companies who deal in the processing of personal information data on behalf of digital businesses. In the below lines, we will consider Identity Verification companies based out of the UK. What is the leveraging factor for KYC processors? How are they affected and what are the liabilities of KYC processors regarding Brexit and their services       

Data processing in Post-Brexit Era

A referendum on 23 June 2016 took place, where the UK electorate voted to exit the EU. Ever since the narrowly won referendum, the UK and the global community are going berserk to understand how this process of exiting will take place. This includes negotiations between the UK and the EU, deciding on how factors like goods, services, people and capital would move across the UK and EU, following Brexit.

The relationship between Identity Verification companies and Brexit is delicate and important one to consider. As discussed above, Brexit affects companies from all sorts of backgrounds and industries and amongst the four freedoms – ‘Service’ concerns these companies the most, same goes for identity verification companies as their sphere of operations also falls under the “Services” category, particularly that relate to the processing of sensitive PII data. Identity Verification companies are pressured to modify their digital KYC processes in order to facilitate the exit from the EU and re-establish procedures that are Soft-Brexit friendly. But at the same time, these companies are bracing for a Hard-Brexit contingency plan as well.

Below are some of the factors that are affecting Identity Verification Companies in a post-Brexit scenario:

  • The legal and procedural framework surrounding the transfer of personal data from EU-based organizations to organizations based in the UK.  
  • The legality of continual free-flow of data from the UK to the EU.
  • How model data protection clauses would be vital to determine the free flow of data between the two countries.? Consequently, how would the contracts be amended to implement the necessary changes?
  • The extent of the adequacy decision in consideration by the EU, and if that decision is not made in favor of the UK until the exit date. Considering the current requirements of processing data from the EU, would UK businesses be able to facilitate EU partners to identify a legal basis for those specific data transfers?

Identity Verification

Identity Verification – GDPR and Brexit

Despite all the hype, much of the laws that exist today will remain the same, from the minor exception of a few. Having passed the European Union Act or commonly known as the withdrawal act will incorporate EU laws into UK law. One such example is the GDPR, which the UK has adopted into national law, as part of its Data Protection Act. Thus, if a business fully complies to the GDPR, it shouldn’t change how it would handle personal data, once the UK leaves the EU. The UK is trying to establish ‘adequacy’ or middle grounds with the EU in data harmonization between the two countries to facilitate the free flow of data where the need for complicated model clause assessments and contractual amendments would be greatly minimized or entirely abolished over time. However, it is likely most of the changes and necessary implementation will see the full effect by the end of the transition period.

In the End

Identity Verification companies, in particular, need to assess their primary medium of trade and whether they fall under the four freedoms. After this, the necessary measures should be taken in consideration of Brexit, which does not contradict or violate any laws. Businesses should carry out what they call a ‘Brexit Impact Assessment’ for the best way to gauge an idea of how Brexit will impact businesses. Identity Verification companies, in particular, should be compliant to the GDPR, before proceeding any further. As the companies with no GDPR implementation will face many more hurdles in dealing with Brexit, regardless if its ‘Soft’ or ‘No Deal’.