Brace yourself for Brexit

(Image credit: Bigstock)

Is Brexit something we need to worry about right now? It will be years before we actually leave.

It's true that it will take some time before Brexit actually happens. Article 50 was triggered on 29 March 2017 and we'll remain full members of the EU until April 2019 unless an earlier exit is agreed, which doesn't seem likely.

But that doesn't mean you can afford to sit back and do nothing. The implications of a looming Brexit are already being felt. One immediate question to ask is whether your IT department relies on employees or contractors who've come to the UK from other EU nations. So far there's been no indication of what their legal status will be in a post-EU Britain, and while there have been calls to allow those who are already here to stay, many may already be planning to leave and seek employment in a more stable environment. And when they do leave, replacing them is likely to be harder than it used to be.

Why so? There are always plenty of EU nationals looking for work.

Actually, there aren't as many as there used to be and in the current climate, the pool is very likely to shrink further. The situation isn't helped by uncertainty over what access EU nationals will have to UK universities and funding, which means the next generation of IT experts may be put off coming here in the first place.

There's no perfect answer, but there is one general piece of advice, which applies now more than ever: find ways to nurture the skilled workers you already have, and ensure they stay with you.

What about the data we handle? Hopefully life here will become easier once we no longer have to deal with EU red tape?

If you think that leaving the EU means a big bonfire of regulations then you're in for a shock. The General Data Protection Regulation (GDPR) is due to hit hard in 2018, and it seems certain that we'll still be in the EU at that point. That means you'll be legally required to comply with its various strictures on data protection.

Even after we part ways with the EU, most British businesses will need to keep up with European data-protection regulations. If you're not compliant, you won't be able to do business with companies and individuals in the EU.

But as long as we tick all the GDPR boxes, it's business as usual?

There's one more issue that could come into play: data sovereignty. Right now, you're free to store all your data about EU partners and customers right here in the UK.

However, GDPR broadly prohibits the transport and storing of such data outside of the European Economic Area (EEA). Conceivably, the UK could remain a member of the EEA after leaving the EU but if that doesn't happen (as seems increasingly likely) then British businesses will no longer have the automatic right to store EU citizens' data locally.

In such an eventuality, the UK will probably seek to be recognised by the EU as having "adequate protection standards" to handle personal data. But there's no guarantee this will be approved right away, or ever. Concerns over state surveillance are one reason why the European Commission might not rush to endorse the UK as a safe haven for data.

In the worst case, you could end up needing to carry out a complete audit of your data and move all your EU-related records to a European datacentre at your own expense.

This is starting to sound like a costly and time-consuming project.

For businesses that handle everything in-house, it could be. If you haven't already moved your operations onto hosted SaaS platforms, this could be the smart time to do so: most providers will already be geared up to deal with data protection and sovereignty issues, and should the need arise, they'll be able to help you spread your CRM and other services across multiple datacentres in different territories.

All the same, there's no point pretending that the next two years are going to be plain-sailing. The hope in many organisations is that, once the dust settles, we'll be left with a more flexible environment in which it's easier to do business, with customers in the EU and further afield. But in the short term, navigating our way towards that outcome isn't going to be easy.

Brexit means... data

GDPR may seem like a pain, but the Information Commissioner for the UK, Elizabeth Denham, has called for the UK to adopt it regardless of Brexit. Talking to the BBC she said: "I don't think Brexit should mean Brexit when it comes to standards of data protection."

Understanding the ICO's position regarding data protection provides a good indication of where your business should be heading strategically, when it comes to privacy and the law. Rather than relaxing our practices, businesses need to be taking data protection more seriously. The ICO will be pressing for data-protection officers in large organisations, with mandatory reporting of data breaches within a strict 72-hour time frame. None of this will take hold until 2018, but it's worth using the time we have now to plan and prepare. Brexit certainly does not mean "don't bother".

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at