Clearly there is a lot of political fallout over Great Britain’s recent vote to exit the EU – for days after the vote it dominated the news cycles.  We all heard both the fear and support of the decision by the British people.  We heard about immigration, defense, monetary policy and regulatory authority.  And those are certainly all things citizens need to understand and debate, governments need to discern and minimize the fall out of what looks to be a very expensive divorce settlement for all involved.

But we’re an ethics company, and although interested in the political ramifications (it’s impossible after all to grow up and live in Washington DC without being a political junkie!), I came back to “what does this mean for my clients?” and “how do I counsel their ethics and compliance reporting strategies in light of Brexit?”

Especially for many American firms, the phrase GDPR means very little.  That’s OK, because until Brexit it shouldn’t have.  As a bit of background, the General Data Protection Regulation (“GDPR”) is a new law that covers marketing data and was introduced in all EU countries on May 26, 2016 and becomes enforced in May 2018.  Key point being “all EU countries.”  Hmmmmmm……… so via Brexit, Great Britain will no longer be an EU country so, hey, wait a minute, as a GRC professional now I have to understand global politics and the fate of the EU too?

Well, yes, you do.  So some more history.  The current body of governing law in Great Britain related to data privacy is called the DPA or Data Protection Act, and it came into being in 1998.  Yes, pre facebook, twitter, Youtube, Instagram, Pinterest, and the list goes on.  The regulations are long out dated and were set to be replaced by the GDPR.  Now with Great Britain leaving the EU, and the updated regulations around data privacy it is back to the future when social media was a chat room in AOL.  Ouch.  Did I really just say a chatroom in AOL?  

Great Britain will need a new DPA and that makes perfect sense and it will need to closely follow GDPR.  Clearly the UK will want to continue trading with the EU post-Brexit, and in order to do that, they must have data laws that are as stringent as those in the rest of Europe. The GDPR applies to any nation that wants to sell to EU citizens – including USA, India, Australia… and now the UK.

This changes a lot of GRC dynamics – potentially even down to where are the servers located that control the data used in supporting GRC solutions like incident and case management in Europe 

So here are points that you should consider including prominently in your incident and case management plans in the wake of Brexit, the implementation of the GDPR, and your global GRC strategy:

Be secure.  The origin of the GDPR was data security and the prevention of hacking and data loss (duh…it’s in the title of the regulation).  It’s the data protection regulation not the data marketing regulation.  For GRC professionals this means a review of how and where you store personal information for example, the security of your website for another.

Risk Analytics. Times of change and uncertainty should be faced with a risk stratification matrix. Sounds easy, but not so much.  First and foremost, focus on line of sight issues across all areas of the business so you can align resources accordingly, or as the cliché goes “try to swing the axe one time and fell two trees.”  

Inform yourself.  Although laws and regulations are all too often things left to the general counsel, in this case, we need to get informed and pay attention.  Talk with your IT folks because the responsibility for data does not rest solely with the GRC team, but the fallout from a breach or bad press from a GDPR violation sure does.  And watch what the UK does to replace and update the DPA.


J Rollins is the co-founder and CEO of ETHIX360.  At ETHIX360, our goal is simple, to provide an affordable, flexible and comprehensive answer to employee communication and case management on issues related to corporate ethics, code of conduct, fraud, bribery and workplace violence.  To learn more about ETHIX360, please visit, or follow us on twitter @ethix360.