Dec 1, 2020 | Articles, Cyber Security, GDPR, ISO

UK firms face high compliance costs

Howard Freeman

Howard Freeman

British firms face a bill of up to £1.6 billion if the UK government fails to win an EU adequacy decision. The decision, if granted, would allow dataflows to continue as normal. This was revealed by a new report published on Monday last (23rd November 2020). UK firms face high compliance costs due to having to amend contracts or issue new types of contracts containing new standard contractual clauses.

The economic modelling was used in the report by the New Economics Foundation think-tank and University College London. They are estimating that the additional compliance cost for firms wanting to continue transferring data will be high. They state that it will average from £3,000 for a micro business to over £160,000 for a large company.

The report was based on interviews with 60 legal professionals, data protection officers, business representatives and academics, from the UK and EU.

UK firms face high compliance costs
Standard Contractual Clauses
British firms face a bill of up to £1.6 billion if the UK government fails to convince the EU to grant an adequacy decision

In total, the cost to UK firms of no adequacy decision would likely be between £1 billion and £1.6 billion. This extra cost stems from the additional compliance obligations. This would be for issues such as setting up standard contractual clauses (SCCs).

The report estimates that, in UCL’s case, the university would have to amend and update more than 5,000 contracts.


It is also reported that the new compliance requirements will leave the UK exposed to an increased risk of GDPR (General Data Protection Regulation) fines. The report also stated there was a risk of reduced investment. It also reported there was a high risk of relocation of business functions, infrastructure, and personnel outside the UK.

There are less than five weeks until the transition period ends and the UK leaves the EU’s single market. Talks on the EU-UK trade deal are close to being concluded.

However, if the UK agrees and ratifies a post-Brexit trade agreement with the EU by the end of 2020, a data adequacy decision will still be required. The European Commission will need to grant the decision for cross-border data flows to continue.

Adequacy Decision

The UK has already placed the GDPR into its national law, but as a ‘third country’ outside the EU, it needs an adequacy decision. This determines that a third country has an adequate data protection regime. Therefore, once agreed, then European personal data can be processed there.

Digital and tech account for 14.5% of all UK service exports. This is worth more than £30 billion, making the UK the largest digital market in Europe.

The EU executive is currently conducting an assessment of the UK’s data protection landscape. Discussions between the EU executive and the UK government on data adequacy have been taking place since March.

Decision Day

But the decision is far from a certainty. Primarily this is because of EU and civil society concerns about the UK’s surveillance regime. The UK’s membership of the ‘Five Eyes’ intelligence alliance with Australia, Canada, New Zealand, and the United States will also be of concern.

There are concerns whether the UK will deviate from the general line of the GDPR.

The NEF/UCL report warns that “potential EU concerns with UK national security, surveillance and human rights frameworks. Other concerns include a future trade deal with the US, render adequacy uncertain”.

If you need help with Standard Contractual Clauses please talk to us. You can call us 03333 22 1011 or you can contact us here.


Can we help?