The impending ‘Brexit’ has led political and financial commentators to speculate on both sides about what state the UK, and the European Union, will be in afterwards. But what cannot be ignored is that Brexit will by no means give the UK a ‘blank slate’ to act unilaterally on certain matters – particularly where security is concerned.
GDPR comes into force in May 2018 with all the inducements, implications, and punishments instantly applicable from that point on. Clearly, the UK will still be a member of the EU in May 2018 so GDPR will automatically become law. But it is what happens after the Brexit that truly matters. While the letter of the law would mean that conceivably Britain could withdraw from GDPR, this may be impractical. For a start, if the UK remains in the European Economic Area, which is not inconceivable, it will be legally required to maintain GDPR on the statute books. And if not, British firms that do not hold to GDPR will find their ability to do business with EU firms and citizens severely curtailed, as the latter groupings may be unlikely to contract with a British entity that does not guarantee in terms of data safety, what is seen as standard elsewhere in Europe.
As such GDPR should be planned for the long haul, even though minor amendments specifically for the UK may be made post-2019. It is estimated that, following the Brexit vote, 25% of companies stopped preparing for GDPR on the basis that it wasn’t going to affect them. It will. Definitely in the short term, and in all likelihood the long term as well. There can be no excuse for laziness in preparation – as much for the fact that GDPR is a ‘good idea’ as for the fact that it is a legal requirement.
But the questions over application apply to much more than the cyber-realm. For instance, take sanctions. Currently Britain participates in international economic sanctions through both UN and the EU, but almost all through. Post-Brexit, it will have no authority to enforce EU sanctions but may consider it expedient to replicate such sanctions on its own terms – leaving the EU will not really change Britain’s position on issues such as Crimea or Iran, particularly when it took the lead in calling for these sanctions.
The government has already published a White Paper detailing the manner in which it intends to continue enforcing sanctions (asset freezing, trade restrictions, travel bans and so on) and these replicate the key points of the existing EU methodology. Therefore, British businesses looking to deal with EU-sanctioned areas are likely to find themselves just as affected as before – leaving no room to assume that all is well, or to believe that ‘extra freedom’ does not come with extra danger. Complacency is always one of the biggest foes.
Likewise, the M&A and Due Diligence process will need to be reviewed and considered in light of Brexit – but by no means diminished. While there is no blanket EU law at present on what investigation and due diligence on target businesses/partners must or should be done, regulatory and financial compliance will take on a new direction now that EU law will not affect British business so directly, the expected end of free movement will affect the degree to which employees may or may not have rights to live and work in the UK (and may try to disguise this), and a comparative weaker structure of governance, particularly in the early days post-Brexit, could encourage the sharks to circle knowing that the UK no longer has the protection of EU law.
Whichever way you look at it, leaving the EU will shake up the foundations of business but, as long as risk analysis and due diligence are still held to the highest standards, these foundations should not fall.