Ian Rowlands MBCS looks into the regulatory impact of Brexit on data management and finds some painful truths and some sources of hope along the way.

Were you in a state of shock, elated or otherwise on the morning of June 24, 2016? Against the odds, the UK voted to leave the European Union. Suddenly, you were supposed to be the expert on what Brexit meant for your firm’s IT activities. Almost a year later, what does it mean to you? There’s plenty of information about GDPR and it’s clear that the timing implies that Brexit won’t allow you to skip GDPR compliance. What about other regulatory impacts though - how are they influencing planning and action?

Three macro pressures shape IT strategy. There’s the accelerating demand from executives for investment in information to deliver value, the sea change in technology, and the rising tide of regulation. The forces interact, and providing value with new technologies, while minimising compliance risk, is probably high on your list of strategic goals. How does Brexit change the challenge? It depends on several things: What kind of business you are in and what kind of model the UK and other governments agree to in order to manage relationships between the UK and the rest of the world.

Industry specifics

Every industry will feel particular impacts. Consider these two examples:

Banking: you’ve ‘suffered’ mightily from regulation over the past several years. Despite attempts to put a brave face on things, there’s little evidence that your business has gained much on the plus side. The chief architect at one major bank told me bluntly: ‘If we didn’t have to do this, we wouldn’t be doing it’. It still seems unlikely that you will be rolling back all the work you’ve done. Several factors come into play.

The first is the painful truth that the regulation kicked off by the financial crisis of 2007-8 was necessary. There was systemic risk, and new technologies could only exacerbate it.

The second factor is that there is no board-level appetite to undo what you’ve completed - executives want to see the shift to value creation that regulatory grunt work has prevented. The third factor is the risk that any dismantling of the regulatory framework would present. UK regulators have adopted EU regulations wholesale, and even strengthened them.

With ‘passporting’ not an option, firms will hope that the EU will accept the UK regulatory framework as ‘equivalent’. Any ‘disassembly’ will blow that hope out of the water. Essentially, therefore, ‘preparation’ for Brexit means finishing any outstanding regulation work, and working on any new EU regulations that go into law between now and the end of the two-year Article 50 period.

Insurance: it is more complex. Incorporating EU regulations into UK law will not resolve the thorniest issue - that of the nature of the future trading relationship between the UK and the EU. If you’re in insurance, what should you be considering? How much of your activity is in the EU?

Watch the negotiations and passporting issues. If the impact on reinsurance and investment activities is significant, cross-border strategies will need review.

Another noteworthy secondary issue is that Brexit has already provoked market volatility and there’s a real risk of capital flight. That implies a need to review capital adequacy and perhaps monitor even more closely than you already are. One thing that doesn’t look likely is change to the Solvency II regime - at least not in the short-term. The Association of British Insurers has expressed the view that while some refinement may be required, unwinding something that has been part of the regulatory framework for more than ten years is not a good idea!

Regulations vary, from sector to sector. Every company needs to consider its unique position.

General issues

Some regulations impact how your business operates. There are also considerations that apply to your governance and support environments. What about financial reporting? The UK has been bound by EU regulation, and so using the EU flavour of International Financial Reporting Standards (IFRS).

After Brexit, the requirement for consistent high-quality reporting will remain - but the form of IFRS will not necessarily be the EU form. In October 2016, Paul George, Executive Director for Corporate Governance and Reporting at the Financial Reporting Council, commented: ‘Brexit could have significant implications for the adoption of international financial reporting standards, depending on the exit arrangements negotiated by the government.

The FRC continues to support the application of a single set of high quality global financial reporting standards for listed companies. Investors have told us they want comparability when reading company accounts.’ It’s not likely to be a significant disruption, but you need to make allowance for it.

Consider staffing. It’s not likely that the government will rework employment legislation wholesale after Brexit. However, the position of EU nationals working in the UK will change. Without special legislation, EU nationals will be subject to the same points-based residence criteria as non-EU nationals, and those without sufficient points will have to exit.

Most of your EU national employees may be highly-skilled, in which case the immediate risk is low. In the longer-term, you might lose the ability to source skilled IT professionals from a deeper talent pool.

Another example is the issue of the use of big data technologies and the associated exploitation of cloud services. In some ways, ‘cloud’ is a misnomer. Data resides in physical data centres, which have physical geographic locations. At present, it’s fine if you have collocated data for all EU citizens. After Brexit, however, you will need to hold EU citizen’s data in EU locations and UK citizen’s data in UK locations. You may need to plan a careful disentangling and migration.

Pulling the threads together

I have used several words like ‘may’ and ‘likely’ and ‘might’. Irritating, isn’t it! The challenge is that we don’t yet know. In a way, though, that simplifies things. The only response is to build agility. So how do you do that?

There are several threads. One is about having an up-to-date understanding of how IT supports business. It seems obvious, but an astonishing number of enterprises don’t know how their applications and services underpin business processes, how they use data, and how data is moved and transformed within their systems.

The second thread is similar to, but differs from, the first. You need to map the geographic influence of IT. It’s obvious, but the implications are sweeping - what was one set of relationships is now two sets of relationships.

The last thread is about connecting regulations that you deal with to the systems and geographies. Just as with the other threads, this is a dynamic exercise. The regulatory environment may be ‘frozen’ until after the EU exit ‘sunset period’, and the government has declared its intention to bring forward a ‘Great Repeal Bill’ that will repeal the European Communities Act 1972 and incorporate European Union law into domestic law, ‘wherever practical’. However, that ‘wherever practical’ leaves open a window of uncertainty, which will only open wider after the actual exit.

Brexit will have unique impacts on the regulatory climate for each business, but the response should be standard. Pull the information together that allows you to plan for any required changes as the needs emerge - and keep calm!