Brexit: The Road Ahead for IT
The scale of divisiveness brought on by the UK Referendum underpins the profound importance of an agile, global landscape, which has enough resilience to counter disruptive and unexpected events. The fall-out of the referendum has yet to play out or elucidate how and when substantial changes to the status quo will manifest. As procurement experts we must define how the sourcing industry can navigate turbulence ahead and mitigate risk on the wider scale.
Areas of obvious relevance are EU data regulations v UK DPA law and the OJEU regulations. Certainly there is enough here to keep London lawyers sleeping at the office, indefinitely.
Joking aside, on data protection, it will be diligent planning and foresight that is critical. But should we be unduly concerned about the landscape ahead? Not according to Peter Galdies, Development Director from Data Compliance firm DQM GRC:
“In my view the long term impact of a “Brexit” on the legislative framework for privacy will probably not be hugely significant”
He goes on to say that the received estimate of a two year negotiating wait may in all likelihood end up being anywhere between 3-6 years, after Article 50 is invoked:
“It is also highly likely that the UK (now with a strong new commissioner with a proven history of backing and enforcing consumer rights) will adopt a legislation directly modelled on the GDPR (as we will also need to do with the other legislations, such as worker’s rights and other similar good laws that protect the rights of the individual which will now need replacing),” said Galdies.
“The pressure to negotiate a strong trade deal with the EU will also drive the adoption of ‘mirroring’ legislation – designed to minimise the barriers to continued trade,” said Galdies.
With the UK’s Information Commissioners Office (ICO) saying future data protection laws must be commensurate to that of Europe, it remains an on-going process how we adapt:
“The Data Protection Act remains the law of the land irrespective of the referendum result,” said an ICO spokesperson.
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK, but if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation (GDPR) framework starting in 2018.”
The latest rules on data protection General Data Protection Regulations (GDRP) were given the stamp of approval by Brussels in 2015 and due to come into force by 2018 for the EU, and potentially the UK if the two year exit plan is still underway.
From another perspective, if a business handles EU citizen data, the laws will still need to be met by the service provider
So GDPRs are going to affect business’ offering any service to the EU market, independent of where your data is held. One of the new provisions that raises the bar for service providers is that essentially anyone who touches your data gains responsibility.
Whether, as some legal experts predict, the new rules will affect every entity that holds European data both in and outside Europe or whether as global firms indicate the new laws will increase costs of doing business in Europe, remains to be seen. But it is certainly galvanising enough for us to need a significant forward plan.
Ultimately the UK’s DPA will need to enact stronger rules in order to provide equivalency with the enhanced EU rules, to enable UK firms to do business with remaining EU members.
A further complication are the revised EU-US Privacy Shield, which is replacing Safe Harbor. This has been set for review by EU member states, and according to Reuters a vote is expected in July. But should companies be unduly concerned about what lies ahead with the advent of a new data sharing landscape?
These macro level laws aside, in practical terms for UK organisations it will boil down to;
- If you need to get your data back
- Where is it?
- How much will it cost to do so
- What are the provisions in your current contracts?
- Are there exit schedules that define who is to do what, by when and for how much?
All of these points are within control of UK companies, and form part of besrt practice in terms of IT contract auditing and awareness.
The air of uncertainty is particularly pungent around Cyber Security and what kind of framework the UK will adopt post Brexit.
Businesses may in the short term become more vulnerable to cyber attack given the potential for bureaucratic loopholes; with 40% of IT professionals forewarning of greater exposure to cyber crime this cannot be dismissed as hyperbole. Given the amorphous and evolving nature of cyber crime we must continually seek to adapt and ensure the IT supply chain is appropriately secured.
A significant proportion of cyber breaches have occurred not inside the victims own firewall or environment, but within that of a third party supplier, by which the cyber criminals then gain access.
Essentially a more complicated set of EU/US/UK DPA laws can only add to the risk of companies not being adequately protected from a contractual viewpoint.
The biggest medium to long- term threat would be the restriction of free movement. If free movement is off the table, the larger SI houses may seek to centralise in favour of Europe, which would mean a restriction of European IT skills coming to London
In addition, Visa restrictions could drive up costs as well as providing operational challenges. As an example, 50 staff from an Indian SI house were deported from a UK client site last year, due to inadequate travel visas. Should free movement be restricted and visas necessary for EU based staff, the same problems could arise.
In the event that we follow Norway and Switzerland by maintaining access to the single market, much of the initial fear and headache emanating from lack of free movement will be resolved. Again, it is too early to predict which way the negotiations will go.
With two years to exit, organisations do have the time they need to forward plan and consider the impact on their supply bases.
With many companies facing an uncertain trajectory in the wake of Brexit it remains prudent to watch and wait until more of the jigsaw is in place.
From a risk management standpoint it is both prudent and best practice to audit and log all your IT & Telco contracts, to have a good awareness of what you have and where any current problems lie.