The area of regulation and legislation is a key foundation for business, but because much of it originates from government and industry-level bodies at national and supra-national level, it is an area that is subject to much potential change as structures change between now and the date of an ultimate Brexit.
The shifting sands of compliance will be an ongoing challenge
The UK government has already stated that scrutinizing regulation and legislation, and planning necessary changes, will be a core activity within its considerations post-referendum. Many commentators believe that in order to minimize disruptive impact on business and public sector activity, and to maintain the benefits of existing investment in compliance, replacement regulatory and legislative measures should where possible mirror those currently in force. This approach by authorities would certainly greatly help UK organizations already burdened significantly by compliance costs, and facing many additional costs and much disruption arising from the Brexit decision.
One prominent related activity that is under way within many sizable UK organizations is planning and investment for compliance with the EU’s General Data Protection Regulation (GDPR). This measure passed into its final “pre-legislation” stage in late 2015, at which point a two-year deadline for compliance was established. Consequently, investigations and investments will have been planned to ensure that regulated data for which enterprises are responsible is located and protected compliantly, and is not passed to non-compliant third parties for processing. Compliance must be maintained whether the regulated data is stored in the cloud, processed primarily by third-party providers, or held within the enterprise’s IT estate.
It seems certain that the late-2017 deadline for GDPR compliance will be passed before the UK is free of obligations related to its EU membership, hence affected organizations within the UK’s jurisdiction will now need to continue their efforts toward ensuring GDPR compliance, despite the referendum verdict. For organizations continuing to conduct business with others in the EU post-Brexit, these efforts will obviously have a direct ongoing benefit. However, given that GDPR is in the vanguard of similar legislation that is likely to evolve and come into force in other areas of the world, the benefits of managing issues such as data sovereignty around organizational data more accurately may also be extended further in future for organizations with broad operational horizons.
Cloud, SaaS, and outsourcing service providers will still have to maintain their programs of investment in order to serve customers in other countries in the EU that require GDPR compliance, or to serve UK organizations’ near-term compliance requirements. However, once it has left the EU, the UK will be considered a geography outside the Union from the perspective of data transfers regulated by GDPR, and these providers might need to invest in data obfuscation technology in data centers in the EU before data is transferred to the UK.
"Brexit will have minimal impact on the UK's regulatory environment", TE0007-001040 (June 2016)
"Brexit decision will impact enterprise IT investment", IT0018-001498 (June 2016)
Alan Rodger, Senior Analyst, Infrastructure Technologies