The Brexit impact on GDPR: What do UK businesses do now?

(c)iStock.com/Delpixart

The campaigns were closely fought. Polls indicated it would be close. Still, many businesses assumed that the UK would stick to what they knew and vote to remain in the European Union (EU). In the aftermath of the vote to leave, and with the heat and hyperbole having largely dissipated, what new challenges does Brexit bring?

The Leave campaign was always a broad coalition of different interests, many with competing ideas. With a Brexit vote secured, some of those will fall by the wayside, while others become government policy. In the meantime, companies in the tech sector, dependent on investment to maintain their position, must live with the thing most likely to restrict it: uncertainty. 

The greatest uncertainty concerns access to markets and trade conditions. EU politicians have stated, repeatedly, that unrestricted access to the single market is conditional on Britain maintaining freedom of movement. Meanwhile, Brexit-supporting politicians in the UK believe that this is negotiable. It seems unlikely that the EU will reward Britain’s decision to go it alone with a uniquely advantageous arrangement, but it would be wrong to think that there is a single European stance. Much depends on whether the European Council or the European Commission takes the lead in negotiations. The Council is more likely to be pragmatic; the Commission may take a harder line.

Whatever happens, the UK won’t lose access to the single market – actually a single regulatory regime with a common set of technical standards, which benefit businesses outside the EU as much as those within it. UK exports may become subject to tariffs, but these average 2.3% for non-agricultural products: significant, but less so than movements in exchange rates, for example.

Tariffs may be reduced or removed by free trade agreements, which have been secured by every non-EU European country other than Belarus. British negotiators are likely to focus on key service industries, such as finance and technology. The size of our economy and its value to the EU, which enjoys a trade surplus of £88.7 billion with the UK, gives us a relatively strong bargaining position. Furthermore, the costs arising from new barriers in Europe could be offset by concluding trade agreements with countries outside the EU. According to Eurostat, over 56% of UK trade is with non-EU states, up from 38% in 2002. Among EU members, only Malta does a higher proportion of its trade outside the bloc, so the EU’s lack of success in forging external trade agreements has affected Britain disproportionately.

A second risk for the tech sector relates to the free movement of data. The EU’s General Data Protection Regulation (GDPR), which sets common rules on storage and transfer of personal data, comes into effect in May 2018. The GDPR won’t exclude British providers from handling EU data, provided they comply with the regulation. However, the regulation would have applied automatically had the UK remained in the EU. Now, either Parliament must pass new laws to bring Britain into line with the new standards, or UK companies will need to be assessed by the Commission. This is an unwelcome hindrance, but most data processing companies will already meet the standards, if they are already ISO 27001 certified.

A third risk, particularly relevant to the technology sector, is energy security and cost. Recent governments have under-invested in new generating capacity, but a new nuclear plant at Hinkley Point was expected to address that. Hinkley Point could provide 7% of the UK’s supply, but the project has been beset by problems, delaying completion from 2017 to no earlier than 2025. The principal contractor, EDF, is 85% owned by the French government and struggling under billions of euros of debt. In the aftermath of the Brexit vote, reports in the press suggested that the deal is under threat. EDF will no longer be investing in an EU partner country, and the French unions, concerned about the company’s ability to take on more debt, have used the opportunity to argue against it.

Hinkley Point is also dependent on large subsidies from the British government, which will support EDF. The European Commission agreed to these in 2014, but it’s possible that a coalition of European governments, many of which are anti-nuclear, will seek to block the deal under EU competition laws.

If Hinkley Point falls through, or if Britain is unable to sell surplus nuclear energy to the continent, the cost of power will go up and by proxy, the cost of running offices, data centres and the cloud will increase as well.

Despite the risks, Brexit provides an opportunity for UK business to change the way we trade with Europe and the wider world. As ever, we will succeed if we produce goods and services that other countries want. Britain must remain open to trade, people, data and ideas, and continue to welcome the best and brightest of everything from around the world.  The tech sector, which prides itself on being agile in the face of changing conditions, is actually well placed to benefit from the changes, even if Brexit wasn’t the result that it expected or desired. Looking forward, post-Brexit Britain could be a very exciting place to be.

In terms of GDPR specifically, the UK’s Information Commissioner’s Office (ICO) has confirmed that “if the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’” – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

From a contingency perspective therefore, most big companies and especially cloud hosting firms are acting as if the GDPR will come into effect on the May 28 2018, to ensure that, even after we exit the EU, we can still trade as effectively, and legally, as we would if we remained a part of the Union.