In November, our Chief Privacy Officer, Hugh Jones, took part in a RANE webinar about Brexit. Here’s a recap of the discussion:
David Fairnie, Principal Consultant, BSI Supply Chain Solutions
Hugh Jones, Chief Privacy Officer, Sytorus
Tom Roberts, Head of Intelligence and Analysis Services, Drum Cussac
Deirdre Dastous, Executive Director, RANE
Another Brexit deadline has come and gone, leaving observers struggling more than ever to predict what will happen. While the uncertainty around Brexit continues, one thing is clear: The outcome will have profound implications for businesses, making it harder for companies to succeed even in their own country. In a recent webinar, RANE assembled a panel of experts to discuss how Brexit may disrupt business and what companies can do to prepare, deal or no deal. Highlights are excerpted below.
BREXIT TO THE PRESENT DAY
Tom Roberts weighed in first, emphasizing that it is important to understand the key challenges that businesses face from Brexit, along with the context. Roberts noted that the Leave campaign, in the initial referendum campaign, “did not have a coherent, clear, or overarching philosophy, and they certainly did not inherit a clear mandate on the day after the referendum in 2016,” adding that the UK government “probably triggered Article 50 prematurely and before it had even agreed to the terms of the negotiations.”
“By doing this, the UK forfeited any leverage that it had over the Union,” Roberts said. Then-Prime Minister “Theresa May’s withdrawal agreement proved to be so divisive that it not only failed to pass Parliament, but also brought down her government.” May was ultimately replaced by Boris Johnson, who garnered more support from the Euroskeptic fringes of the Conservative Party and eventually succeeded in obtaining some concessions from the European Union. “Boris Johnson’s deal did pass through the House of Commons, which in itself is no mean achievement because it’s the first time that the UK Parliament has been able to agree on a course of action,” Roberts added. “But they were unable to agree on the timetable for the withdrawal agreement,” which provided the pretext Johnson needed to call an election — scheduled for December 12.
Roberts said that the worst-case scenario — the UK leaving the EU without a deal — has been avoided. “This is because if the Conservatives win a majority in the upcoming election, then they will have a majority to push through their withdrawal agreement through the House of Commons,” he added. “If the Conservatives fail to win a majority, it’s likely that the Labour Party will get together some coalition and then presumably seek an extension from the European Union,” after which it would likely renegotiate a withdrawal agreement and push for a second referendum that would likely result in either “a softer, closer relationship with the European Union or to remain in the European Union.”
“The only possibility of a no-deal, in my opinion, is under a series of unlikely scenarios, and the UK somehow stumbles or sleepwalks into it,” Roberts said. “Or the unlikely scenario that the Brexit Party wins enough seats to hold the balance of power and then pushes for a no-deal Brexit.” Yet without a withdrawal agreement, “businesses will be left in a state of limbo and have to prepare for all eventualities, unfortunately.”
David Fairnie agreed that “the outputs of the general election will dictate the type of Brexit that we can expect and, therefore, what organizations will need to do to effectively continue to operate in the resulting supply chain.” Yet enterprises will have to plan and prepare for “the different types of potential Brexit” amid “planning exhaustion.”
“We seem to be marching our companies and organizations up that hill and bringing them back down again to the tune of the politics,” Fairnie added.
To summarize the process in two words thus far, Hugh Jones said he would use “uncertainty and fatigue.” Noting that it has been three years since the Brexit referendum, “which indicated by a narrow majority a desire to leave the European Union,” he also called out the lack of “appropriate planning or consideration of a plan B” on the government’s behalf.
“We’ve already missed two formal deadlines, and we now have the 31st of January to deal with,” Jones said. Yet he also noted a risk in the upcoming general election, and that’s a “worrying” sentiment that the electorate are “becoming less motivated about what shape Brexit eventually takes” and that “they simply want it to be over.”
SCENARIOS TO CONSIDER
Fairnie said there is a possibility that the existing deal will occur if Conservatives come to power with a majority. “Then, we’re into effectively a managed exit,” he said. “You would hope that the government would continue with the expansive amount of guidance that it is giving companies in terms of preparing for the new look, customs facilitation, if you like, between the UK and the EU.”
Yet Fairnie also noted that the government’s guidance has been pretty good around the no-deal Brexit. “Lots of companies have been finding it difficult to implement as part of the Brexit planning whilst at the same time continue to operate,” he said “But there are a few key areas that companies need to focus on no matter what the Brexit outcome is, and that is looking at the company’s personnel within their organization.”
- Customs functions, he said, which many organizations will outsource, are relying on third parties that “have really been overwhelmed by the volume of demand for their services.” Fairnie noted that the UK government has provided funding to help organizations conduct in-house training. “I would advocate that organizations look to tap into that funding to improve the competency of their people internally.”
- Another critical area to consider, Fairnie said, “is the internal business continuity and resiliency competency.” While some organizations might not already possess Brexit planning competency internally, they have had to create it or work with existing resources, creating its own risk: “The competency levels in terms of the ability to think about all the different risks and look to mitigate those risks wasn’t quite there.”
- Fairnie said organizations should also prepare “for the eventual change in customs formalities and customs regulations.”
In dealing with organizations working through the planning process for the October Brexit deadline, Fairnie said that many have “effectively pushed a lot of their products into staging areas within their supply chain,” and in doing so “really maximized or optimized the supply chain” instead of expanding it. Such an approach works in the lead-up to the peak period of the holiday season. The danger lies in a no-deal scenario in which a company that “expanded their products within the supply chain for the holiday period and have nothing in place for a no-deal Brexit.” Yet organizations are “feeling real pain” at the moment with this, both with fatigue and “in terms of chalking up extra storage, extra demurrage, extra insurance, and a number of increased risks.”
Such a process has allowed organizations “to look at their supply chains and the other associated risks,” Fairnie said, and it’s possible they will come out stronger for it. “Certainly, through the whole Brexit process, the focus on more management of the supply chain is going to be valuable to organizations moving forward, in any case.”
THE CHALLENGES OF DATA MANAGEMENT
Moderator Deirdre Dastous pointed out that Brexit as it stands would mean that the UK would lose its adequacy status under the General Data Protection Regulation. Hugh Jones addressed what it means for organizations transferring data across relevant jurisdictions. “Essentially there’s an underlying assumption currently among all 31 member states of the European economic area that they are respectively safe environments for personal data simply because they all subscribe to the GDPR” he said. “They all subscribe to the data management registration, specifically with regard to personal information.”
After Brexit, however, the UK will lose that status. “Unless by some miracle substantial negotiations are held between now and then with whoever happens to come out on top in the general election, there’s every probability that the UK will not have that safe status or adequacy status on the 1st of February of 2020,” Jones said.
Jones outlined a number of issues, regardless of what form of Brexit prevails. While the UK has put in place some legal measures “to accommodate a post-Brexit reality” and conform to GDPR principles, “it should be said that the adequacy status probably creates the single biggest challenge,” he said. “Not so for UK firms trading with European member states because that’s outbound data from the UK, and the UK businesses can continue to do that safe in the knowledge that the data is going into European member states who continue to subscribe to the legislation.”
“The difficulty arises for European-based organizations trading with or sharing data with organizations based in the UK,” Jones said. “They will now need to effectively justify and demonstrate that they have the appropriate safeguards in place because, in effect, they are putting that personal information outside the reach of their member state legislation and will need to have some formal data transfer or safeguards in place.”
THREE DATA SAFEGUARDS
The most frequently referenced of these would be the special category clauses, or SCCs, mandated by the European Commission, “which will adequately protect any outbound data leaving the European Union and going into a post-Brexit UK,” Jones said. “The onus will be on organizations based in Europe to ensure that those standard contractual clauses, or SCCs, are in place prior to the 1st of February or whenever Brexit occurs.”
- Jones recommends that organizations, if they have not done so already, “start looking at the third-party organizations with whom they are sharing data or to whom they are disclosing personal information and ensuring that those contractual arrangements are in place comfortably ahead of the Brexit date.”
- Jones added that some organizations have taken a proactive measure of seeking binding corporate rules, or BCR, although the process can take up to two years to complete.
- “The third mechanism would be to have formal codes of conduct between the organizations sharing the data, which would, again, give comfort in the event of a no-deal Brexit,” he said.
It’s possible that a data-transfer agreement will be reached ahead of January 31, but not expected, Jones said. “I’m a cynic at heart, I guess, and getting more and more pessimistic as the Brexit story rolls on, so I’m not holding out much hope for that,” he added.
NOMINATED REPRESENTATIVES IN THE EU
Jones pointed out that data protection legislation going back more than two decades requires “any organization outside of the European Union to have a nominated representative within at least one member state of the EU where they are doing business.” That means any entity — whether based in the US, Asia, or Africa, for instance — trading with and offering products and services into the European Union must nominate at least one entity in one of the member states.
“The Brexit circus, to call it a phrase, is throwing up a particular issue here where many organizations, particularly in the financial services sector, have nominated a firm in the UK to represent their interests, effectively to be their nominated representative,” Jones said. “Again, unless this is nullified and negotiated before February 1st, the UK will no longer be an adequate state.” So, post-Brexit, any nominated representative in the UK will no longer meet the obligation under the GDPR, requiring that entities outside the EU with a UK-based representative “should start considering at the very least a second or replacement representative in one of the remaining 30 member states, and preferably in one of the remaining 27 member states of the European Union rather than Norway, Iceland, or Lichtenstein.”
Jones further notes that the UK’s Information Commissioner has said that organizations seeking to trade and continuing to trade with the UK post-Brexit must now have a UK representative as well. While this would be a post-Brexit measure, Jones said it’s a good idea for businesses to seek out organizations offering this service now. “One can’t ignore the possibility, general election or no outcome, that Brexit will actually happen on the 31st of January,” he said. “So, there’s really no excuse for organizations to be caught by surprise… One way or the other, these legal obligations will apply once Brexit rolls around, whether that’s on the 1st of February or at some even further date.”
MOVING PERSONNEL ACROSS BORDERS
Roberts said he sees a couple of possible scenarios for Brexit’s effects on travel between the UK and EU, or international travel to and from those jurisdictions. “One offers more certainty and less disruption than the other,” he said. “But I think the stability that businesses crave and need is entirely dependent upon the outcome of the general election.”
- With a Conservative Party victory, “we know that Boris Johnson will have a majority to push through his withdrawal agreement,” Roberts said. “The withdrawal agreement will allow for a transition period at least until December 2020 with one- or two-year extension options during which will be the status quo.”
- Of course, the election itself is “really, really difficult to predict,” with some seats in a four-way contest between the Conservative Party, Labour Party, Liberal Democrats, and the Brexit Party. “It is likely that the election will return the highest number of non-Conservative and non-Labour MPs, i.e., MPs from other parties or independents,” Roberts added. “This makes it really, really challenging to forecast the balance of power.”
- The path forward under a different electoral result is less clear. “The Labour Party has been deliberately ambiguous on its Brexit stance,” Roberts said. “But from a business perspective, it doesn’t offer any degree of certainty.”
- It’s clear that the Labour Party will extend the exit date beyond January 13, as well as seek a closer relationship with the EU, Roberts said. But were it to mandate a second referendum, as expected, it’s unclear what the ballot options would look like. “One would be: Do you want to remain as part of the European Union? Or do you want to leave with Labour’s new negotiated deal, which is a soft Brexit? Or do you want to leave the European Union without a deal?” he said. “There should be some real concerns with this approach. A referendum on this premise would be perceived by, let’s say, large amounts of the Brexit voters as a fourth choice. The leave option is split. There is no option to leave the European properly. At least Boris Johnson’s deal offered some restrictions or freedom of movement if it’s outside the custom’s union, outside of the single market, and it’s allowed the UK to negotiate free deals.”
Roberts also noted that the campaign surrounding a second referendum “would be really, really divisive across the country, and the debate would be really, really bitter.” Such a scenario raises the prospect of local unrest, which raises concerns for businesses “largely because a large proportion of the population would be feel disenfranchised not only by the second referendum itself, but the fact that it is staffed in favor of remaining in the European Union,” he said.
In the event of a Labour Party victory, Roberts said, protests are to be expected. “It’s essential that businesses have access to some good intelligence feeds on upcoming protests but also perhaps some longer-term forecasts to thoroughly monitor the landscape and perhaps some weekly briefings as we approach the 31st of January,” he added.
Another consideration centers on topics of conversation, particularly for employees. “It’s probably sensible that trouble is avoided discussing politically sensitive topics with people that they do not know, and it’s also important to note that we haven’t really seen any pro-Brexit demonstrations so far,” Roberts said. “This is largely because the UK government has been pursuing a Brexit strategy, but if the UK finds itself in a position where Brexit is perceived to be stymied, then the pro-Brexit voice will become louder and could result in some quite violent protests.” Areas to watch include areas of London and large cities across the UK, including Birmingham, Edinburgh, Liverpool, Manchester, and some of the London satellite towns.
Citing recent protests in Hong Kong, Dastous raised the issue of guidance around security and communication practices. “All organizations should ensure that all employees are fully briefed on what to expect in any protest,” Roberts said. “Premises should have strong visible management presence, who should identify themselves to the police in the event of any trespassing or damage. Security officers, where possible, should be highly visible on premises, and all staff should remain vigilant and report any suspicious activity to the police and the security forces.”
- Roberts recommended that organizations establish a relationship with London’s Metropolitan Police, which he said “can be quite proactive, and they work quite closely with local businesses and London businesses.” The Met Police also provide regular updates around protests and route closures via Twitter.
- “Organizations should also consider the possibility of remote working or home working if appropriate,” he added. “If you have premises in London during periods of unrest, perhaps minimize the number of entry points to your premises.”
- It’s also a good idea that outside areas are clear of debris, dust bins, ladders, tools, and equipment, Roberts said.
- “Check that emergency equipment is all working, first-aid supplies, radios are in place, easy to pick up and work properly, that kind of thing, and just ensure that CCTV is covered and fully operational and could provide the highest recording resolution possible,” he added. “That just helps in any post-incident investigations.”
‘ANOTHER INCLEMENT CHALLENGE’: EU STAFF IN THE UK
Fairnie said that he has seen many organizations taking stock of employees who are EU nationals looking to remain in the UK and those who are opting to return to their home countries. “Part of that planning process has been very much to fill up the gaps of those people leaving, but very much focusing also on trying to accommodate and help their employees as much as possible with the registration process,” he added. “But again, it boils down to looking at the risks and managing the risks appropriately through a proper resiliency plan.”
Jones noted that the GDPR is “underpinned by principles of risk management, risk anticipation, and mitigation” — concepts that apply to staffing around data compliance, too. “Clearly, the availability of the appropriate staff and the
accessibility to those staff, or inversely, the access of the staff to their appropriate workplace is a critical consideration at any time in the run-up to anticipated weather or unseasonable weather, in the run-up to periods of high demand, and now obviously as well, where there may be implications for the appropriateness of their visa arrangements or passports,” he said.
- Technology exists that allows for “remote working or international-based staff working out of shared offices, for example, within an EU member state but dialing into the head office, which might be in London or Manchester or Edinburgh,” Jones noted.
- But, he added, it takes time to set up virtual access systems. “They can’t just be switched on and off, so it’s for organizations to consider now what the reasonable measures might be or might need to be in the event that they have location difficulties or access difficulties for key staff and putting the appropriate measures in place, whether it’s VPN access, whether it’s encrypted pipes to allow people working from home, whether it’s even simply sourcing and distributing appropriate technology, laptops, mobiles, storage devices, et cetera, that would allow staff to work seamlessly.”
- “In many ways, Brexit should be looked at as yet another inclement challenge for an organization, whether it was Y2K, whether it was the various storms and hurricanes that we’ve had recently in this neck of the woods,” Jones said. “All of them have been met by organizations considering reasonable measures to protect their staff, protect the safety and the convenience of the staff, while at the same time making sure that, where possible, business continuity can be prioritized and achieved.”
MAINTAINING BUSINESS RELATIONSHIPS
Acknowledging the need for effective resilience capabilities, Fairnie said it was also critical to maintain day-to-day business relationships — “particularly second- and third-tier supplier bases where that capacity and capability, simply because of the types of organization they are and the overhead that they have, they may not have that level of competency and capability in those organizations. Looking down into your supplier base is an absolutely critical part of resiliency, so it shouldn’t be overlooked.”
Fairnie recognizes that many people preparing for Brexit have experienced fatigue, and he adds one reminder: “I think it’s vitally important that the leadership in organizations really focus on making sure that people maintain a focus on organizational resiliency, look at being as proactive as possible, make sure that organizations have the competency because there are governments out there to help you.” He reiterated that there is funding to help organizations develop competency from a business continuity point of view.
“If you’ve got that organizational capability and resiliency in there, it makes absolute sense that you look across the wider aspects of risks within your supply chain and the associated risks of Brexit,” he said. “So, my takeaway is organizational resiliency, keep people focused. This undoubtedly will roll on, but it is imperative that people are focused on addressing or identifying risks and making sure that you’re as prepared as far as possible to mitigate those risks.”
CREATING SITUATIONAL AWARENESS
“From a security perspective, I do think that the worst-case scenario, i.e., the prospect of a no-deal, has probably been avoided,” Roberts said. “I think that it could still happen, but only through a series of unlikely scenarios.”
Yet it remains imperative that organizations keep up to date on understanding the context of what’s happening, he added. “You do that by having good access to lots of different sources of information and communicate that information to your dispersed travelers,” Roberts said, recommending “daily briefs with your travelers as we approach January the 31st, and just make sure that your travelers and your dispersed workforce are aware of all the threats and the security challenges.”
“The key word here is anticipation, is to recognize the fatigue for what it is and albeit frustrating and annoying and probably a bit of distraction in retrospect or in hindsight, there’s still a value to the risk evaluation,” Jones added. He offered three areas to watch:
- “Be aware of your data flow and be aware, particularly if you’re within the UK, be aware of flows of data to other EU member states,” he said.
- “If you’re outside of the EU and trading with the UK, be aware of the third parties with whom you’re working, the colleagues, the customers, the service providers, and ensure that the appropriate mechanisms are in place, the safeguards that will protect the data within the context of the GDPR.”
- Also, for European member states or companies based in the European member state and working with or transferring data into the UK, Jones recommended: “Do some research and prepare to have at the very least a nominated representative within the UK by the 1st of February. Most of the service providers that we’re aware of will offer a caveat that says if Brexit gets kicked down the road, the contract has a nominated representative will be deferred until such time as needed. But better to have one and not need it than to find yourself needing one on the 1st of February and not knowing where to start.”
ABOUT THE EXPERTS
David Fairnie, Principal Consultant, BSI Supply Chain SolutionS
David Fairnie has international experience across multiple specialist sectors, including Risk Management, Supply Chain Security, Critical Infrastructure Protection, and Business Development. Fairnie helps public and private sector organizations to effectively manage and mitigate their exposure to risk through transferring deep subject matter knowledge, empowering professionals to manage risk, creating measurable, scalable and sustainable solutions and embracing industry standards and best practices.
Hugh Jones, Chief Privacy Officer, Sytorus
As a certified Data Management consultant, Hugh Jones is closely involved with the development and introduction of compliant Data Management policies and practices within a wide range of clients in Ireland and overseas. Jones delivers training, provides professional advisory services and is a frequent speaker at local and international Data Management events. Through his experience as a business and IT Project Manager, Jones supports organisations striving to achieve and maintain a level of familiarity with the EU Data Protection legislation, as well as helping them to design their “adoption journey” toward full compliance.
Tom Roberts, Head of Intelligence and Analysis Services, Drum Cussac
Tom Roberts has 15 years’ experience in security and intelligence, including six years in the Royal Marines. At Drum Cussac, Roberts manages the intelligence function that is responsible for the output of all analysis and threat assessments. In addition he has conducted numerous onsite security assessments and audits, and provided expert witness services to the High Court. During his time in the military, Roberts was deployed in the Middle East and Asia. He also holds a master’s degree in International Security Studies.
Deirdre Dastous, Executive Director, RANE
Deirdre Dastous is RANE’s Executive Director of Client Relations. Prior to Joining RANE, she served as Vice President, Global Intelligence at Nasdaq, delivering technology, analytics, and consultative solutions to Investor Relations and Corporate Governance professionals, as well as to the C-Suite. Dastous had P&L ownership and was responsible for driving organic growth, executing strategic acquisitions, and delivering margin expansion. During her 17-year tenure at Nasdaq and predecessor companies, Dastous served in a variety of leadership roles across multiple functions, including client service, operations, commercial management, and strategy. She has extensive international experience, having been based in London, UK for 11 years, supporting clients and managing teams across EMEA and APAC.
RANE (Risk Assistance Network + Exchange) is an information and advisory services company that connects business leaders to critical risk insights and expertise, enabling risk and security professionals to more efficiently address their most pressing challenges and drive better risk management outcomes. RANE clients receive access to a global network of credentialed risk experts, curated network intelligence, risk news monitoring, in-house analysts and subject matter experts, and collaborative knowledge-sharing events.