Brexit was an angry war of ideas fought over immigration, sovereignty and, inexpertly, the economy but it’s a fair bet that during the long months of campaigning not a single politician even thought to mention the EU General Data Protection Regulation (GDPR).
That’s not entirely a surprise. As anyone who has peered into the abyss of its ninety plus provisions will already know, the GDPR is a complex, technical set of rules designed to govern citizen privacy in the EU for decades to come. What it is not is bullet-point ready for voters. Explaining its significance is difficult enough for people who understand it.
You’d wager that barely any of the senior Brexit or Remain campaigners have even heard of it or, if they have, could offer a sensible explanation of what it is.
And yet, staggeringly, the dusty, dry GDPR will have a major direct effect on all UK businesses of more than 250 employees that depend on customer data to run their business, which is to say, every single one of the country’s best-known firms.
With Brexit now upon the world, most IT professionals handed the job of making it work will be mightily confused about the implications of all this for themselves, their organisations, their business partners, their customers.
The GDPR after Brexit – will it change things?
The acid fact is that simply exiting the EU will not, for a variety of reasons prosaic and technical, make any difference to the fact that large enterprises will still need to embrace the GDPR. This is what every expert we have a phone number for has told Techworld in no uncertain terms – the GDPR is here to stay whether we like it or not.
The reason is that the GDPR is not simply a set of rules dreamed up by eurocrats but a reaction to the way the world and commerce is changing from one dominated by things to one ruled by data. Without rules, punishments, laws and standards the way data is moved around, processed and sometimes breached would lead to economic chaos written in legal cases, consumer rebellion and immense uncertainty.
Complaining aloud that the GDPR as a piece of ‘useless regulation’ (as one small business owner did in a recent BBC TV interview) is just the latest futile example of wanting to shoot the messenger because you don’t understand what they are telling you. The GDPR might have plenty of problems but the fact it exists at all is simply an inevitable outcome of a world in which data is fundamental to business.
Bluntly, organisations will implement the GDPR because it is in their long-term interests to do so and because they won’t be taken seriously by EU partners or customers if they don’t, indeed it will almost certainly be a legal requirement to do business as part of the single market.
What Brexit does it make that already difficult logistical, legal and engineering adjustment much harder to implement. Ahead lie possibly several years or uncertainty while the UK and the EU negotiate how to allow GDPR-compliant firms to trade in the EU without having to set up expensive and impractical shadow operations to cache data inside the EU.
Because the UK will not automatically be subject to the penalties that can be levied under the GDPR some form of moral hazard will have to be agreed or legal agreements put in place to pinpoint liability should things go wrong.
But the worst aspect of Brexit of all isn’t the everyday issues it throws up and what they might cost to fix but the way that the UK will now almost certainly be shut out of influencing the GDPR’s future direction. That won’t seem like a big deal to the Brexit-happy in June 2016 who laugh in the face of such trifling issues but it could come to bite the UK hard in the future.
Brexit doubtless throws up many problems policy makers will have to cope with but the GDPR deserves a bit more attention than it's getting. On it rests the future of almost every Internet and data-oriented business, which now make up a large section of the UK economy and most of its future viability.
Let’s hope whichever replaces the current one doesn’t muck this up, for their sakes and ours.