Brexit is coming. True, the date for leaving may have changed more than once, but it WILL happen and when it does it will affect businesses in a variety of ways.
The most noticeably hit will be businesses involved in the physical importing and exporting services; however, IT services won’t get off scot free. They too will have to make changes to how they operate.
Issue One – GDPR
One thing you’ll need to be wary of as an IT services provider is that if you gather any personal data (names, delivery details, IP addresses, etc.) from the EU/EEA for marketing, HR, sales and purchasing purposes i.e. fulfilling orders, communicating, managing operations, etc.
Should this occur, your company may need to review your contracts to ensure that you continue to gather this information legally (including Standard Contractual Clauses – SCCs). You will also need to review privacy information and internal documentation in case there are any details you need to update before the UK leaves the EU.
Yet even with this, there is still the risk of potential disruptions in data transfers which could slow your business down.
Now, whilst transferring personal data is tightly controlled in the EEA (the EU plus Iceland, Norway and Liechtenstein) – and comes with the highest level of protection – if you’re part of the EU; the transfer itself is relatively simple because it is done inside a single market that is protected and policed by the EU’s unified data protection regime.
This means, even if senders and receivers come from different EEA states, both are bound by a common data protection framework, whereby the transfer of data must be treated as though it has occurred within a single jurisdiction – and as such is supported by common data protection rules (GDPR).
Leaving the EU will instantly make things more complicated – especially if your UK business has got an office, branch, an established presence or customers in the EEA – because by withdrawing from the EU, you’ll also be leaving this common data protection framework.
And in doing so, this will force UK businesses to have to take additional steps to ensure that any data they send to or from the EEA is given a high level of protection (so it continues to adhere to the rules of GDPR including data transfers which have not received an adequacy decision from the EU).
For those of you who are unfamiliar, an adequacy decision from the EU, enables data to be sent to and from the EEA without other safeguarding measures being required. As you can imagine, these ‘decisions’ can take time, meaning if we were to leave without a deal, there may be a period where additional safeguards are put into place which could further delay data transfers (as these safeguards will have to be met before the transfers are allowed).
What can you do?
If you’ve haven’t already taken steps to utilise alternative mechanisms contained in GDPR i.e. Standard Contractual Clauses (SSCs) or Binding Corporate Rules (these apply if you’re part of a multinational group), then now is the time to do it.
SSCs especially need to be put into place should we leave the EU without a deal, because as a GDPR approved safeguard, they will enable us to continue receiving personal data from any countries still within the EEA. NOTE: SSCs are more suitable for small to medium-sized businesses. In fact, they contain contractual obligations which all parties need to adhere to, ensuring personal data remains protected.
You will also need to bear in mind the following:
- If we leave without making a deal, most data protection rules (which affect small to medium sized businesses) won’t change.
- You won’t need to take any type of action to keep legally sending personal data from the UK to the EEA (or any of the 13 other countries that are classified as ‘adequate’ by the EU post Brexit). If you already comply with GDPR and receive data from the EEA you WILL need to action.
- There is a chance that you’ll have to deal with a lead supervisory authority in the EEA. For this reason, you’ll need to check which European data protection regulator will be your lead supervisory authority.
- There will be no immediate changes to the UK’s data protection standards due to GDPR being brought into UK Law (post Brexit). As such, the Information Commissioner will continue to be the UK’s independent supervisory authority on data protection.
- If you don’t do anything, then your organisation will lose access to the personal data it needs in order to operate.
- It is EEA senders who will need to comply with GDPR when sending personal data. As receivers we can assist by ensuring that they comply at every stage.
- It is possible for us to receive personal data in exceptional circumstances e.g. in a medical emergency or for a one-off urgent reason (a one-off transfer of data); where you may be able to bypass typical delays and receive it quicker.
- Rights and protections provided by EU Directives, and EU Treaty rights of freedom of movement and freedom of establishment, will no longer apply to the UK after Brexit. Consequently, UK businesses will no longer be treated as though they are local businesses and will be seen as coming from a ‘third country’. In addition, this may trigger extra legal, regulatory and administrative obstacles.
At Economit we can help you to build SCCs and ensure that your IT services are 100% GDPR compliant and ready for leaving the EU.
Issue Two – Designating a representative in one of the EU member states
This issue will affect any digital service providers – including some IT companies – who supply services to people within EU countries. Should no deal be made post Brexit, then you may need to appoint someone to act as your local representative with people and data protection authorities in the EEA. This will ensure that you continue to comply with EU data protection rules.
- This will need to initiated in writing (following the formal process set out by the country you’re working in). Within this letter, you will need to indicate that you have assigned a representative who will act on your behalf to ensure that you fulfil their legal requirements.
- Your representative may act on your behalf when dealing with regulators and any teams responsible for investigating security incidents (within the country you’re working in).
- Your representative will be under the jurisdiction of the member state where your IT services are being offered, and as such should be easy to reach by the authorities.
You’ll quickly discover the way you pay VAT for selling digital/IT services will change post Brexit.
Currently, any digital/IT service provider selling their services to consumers in the EEA can declare any sales they make – and consequently pay their VAT – using the UK’s VAT MOSS (Mini One Stop Stop). This is set to change.
Should no deal be made, post Brexit digital/ IT service providers won’t be able to use the UK’s VAT MOSS. Instead, your final return period would end on the 31st December 2019 (here you would need to include any sales you made before Brexit). Additionally, you will only be able to use the UK’s VAT MOSS system to:
- Submit your final return (by 20th January 2020)
- Amend your final return (until the 14th February 2020)
- Update your registration details (until the 14th February 2020)
- Review your previous returns
What about any sales made after Brexit?
Should you make any sales after Brexit, you will need to do the following.
- You will either need to register by the 10th day of the month (after your first sale to EU customers) for VAT MOSS in any EU member state. For example, if you made a sale on the 14th November 2019, you’d need to register by the 10th December 2019.
- Alternatively, you’ll need to register for VAT in every single member state where you choose to sell your digital services. NOTE: this option applies if you don’t want to use VAT MOSS.
Fail to register, and you won’t be able to use either of these systems to declare your sales or pay any VAT due.
NOTE: you cannot register before Brexit. Likewise, we recommend checking the European Commission website to see whether you need to register for Union or Non-Union VAT MOSS and who to contact in order to complete your registration.
Issue Four – EU Cyber Security Act
This act came into force on the 27th June 2019, and in its wake encouraged the UK to start working towards an establishment of mutual recognition in the EU’s cyber security certification scheme, as well as in current UK schemes (using ISO).
Knowing this, you will need to make sure that you keep both of these certifications in mind when finding cyber security solutions for your clients. In the past, the UK has operated under a number of assurance schemes involving certifications including Common Criteria and CPA (Commercial Product Assurance). Common Criteria is based on international cyber security standards (ISO), whilst CPA is based on National Cyber Security Centre (NCSC) or Industry developed security characteristics.
Common Criteria is the most commonly used in the UK as it contains two mutual recognition arrangements CCRA and SOG-IS MRA.
What is the EU Cyber Security Act?
This act seeks to create a cyber security certification framework that not only collates existing certification schemes into a single framework; it also helps to strengthen the digital single market and bolster trust amongst consumers of ICT products.
By bringing these schemes under one unified flag, it will make life easier for all involved.
In addition, this act also aims to provide the EU Cyber Security Agency (ENISA) with a stronger, more permanent mandate.
Now, the UK has been pretty clear on its stance and wants to maintain a close relationship with the EU (in regards to cyber security). This has resulted in them being deeply involved in the development of this act.
This is because the UK is determined (post-Brexit) to prevent any unnecessary fragmentation in the market. That is why they are openly cooperating with any approaches implemented by cyber security certifications within the EU to ensure mutual recognition arrangements endure.
How does it work?
The Regulation/Act won’t introduce directly operational certification schemes. Instead, it wants to create a system which enables voluntary cyber security certification schemes to become created and recognised by the EU.
These schemes would confirm that the ICT products, services and processes supplied have been fully evaluated and comply with specific security requirements.
Now for the UK, the presence of mutual recognition arrangements within the Act would mean that it is possible for the UK and the EU to recognise each others cyber security certification schemes. This means, we would be able to issue certificates that would serve the same purpose in EU markets as those issued by the EU (and vice versa).
As a result, the UK is campaigning to enter into negotiations with the EU on mutual recognition arrangements, based on these terms set out in the scheme.
Issue Five – Many businesses are looking to UK vendors for their digital and IT services
This is not an issue per say, but it is something you need to be aware of if you work in the IT services industry, as it would appear that despite these upcoming complications UK and EU businesses alike still prefer UK vendors.
Consequently, you will need to take all of the above information into consideration as you WILL be affected by Brexit. How much you will be affected will simply depend on the size of your business.
- Importing and exporting goods to and from the EU – you can expect to go through additional processes, otherwise you’ll be denied entry into the EU. This will lead to delays if the right processes are not followed, so you’ll need to make extra time in preparation of possible delays. You should also apply for a European Union registration and identification number (EORI). You will need this number in order to move goods in and out of the UK (if there is no Brexit deal).
NOTE: if your company is already VAT registered, then the UK Government will auto-enrol your company with a UK EORI number. The Government cannot auto-enrol or give an EU EORI number if you’re not already VAT registered. As such, should you fail to register you will encounter delays at the border as you won’t have the correct documentation.
- Providing services with the EU – this WILL grow complicated in a no-deal Brexit situation.
Under EU single market rules, there are restrictions on selling a service where consultancy or research is provided between companies.
- You may face restrictions on your ability to own, manage or direct a company that is registered in an EEA country in a no-deal Brexit situation. Should this occur, you will face additional requirements on the nationality or residency of senior managers/directors.
- Your UK professional qualifications will need to be officially recognised if you wish to work in a profession that is regulated by the EEA or Switzerland.This means you will need to be recognised by an appropriate regulator for your profession in every country where you intend to work/provide services.Now, if you’re already working in these countries, then you won’t need to do anything as your qualifications will have already been officially recognised and will remain recognised when the UK leaves the EU.
Truth, deal or no deal, post-Brexit IT Service Providers will see change – particularly when it comes to the use and transfer of personal data.
So if you’re an IT Services Provider unsure on how to tackle these potential industry changes, then why not contact us at Economit today? With our guidance, you’ll be prepared for everything leaving the EU throws at us.