6 minute read 29 Oct 2020
Close up image of a large server with lots of blue wiring

Why IT, systems and data dominate every aspect of Brexit readiness

Authors
Michael Young

UK&I Mergers & Acquisitions Post Deal Cyber Leader, Transactions, Strategy & Execution, Ernst & Young LLP

Passionate about helping businesses protect their operations, data and employees from cyber criminals. Artificial intelligence hobbyist, code tinkerer and sci-fi fan.

Lucy Rosemont

Partner, Technology Consulting, Ernst & Young LLP

Helping global consumer and life sciences organisations transform their businesses by leveraging technology. Women in Technology mentor. Mother of two girls.

Contributors
6 minute read 29 Oct 2020

Changes are required to ensure compliance and support additional requirements across all business functions.

IT, systems and data underpin and interact with almost every aspect of business operating models. Regardless of whether a deal is agreed or not, change is coming after the Brexit transition period and that will impact IT, systems and data. Whilst the scale and impact of these changes may be unique to each organisation, perhaps unsurprisingly, this is an area that almost all businesses find especially challenging to assess and address. Indeed, less than a quarter surveyed understood the implications and have mitigations in place.

Particularly on data, and the UK’s third country status with the EU, there are clearly critical outstanding questions, including whether the EU grants the UK a data adequacy ruling (or some other separate legal agreement is reached). However, enough is known for organisations to undertake strategic, no-regrets actions in the time remaining. Taking urgent action now will ‘keep the lights on’ after 31 December 2020 but transformation is likely to reach into 2022 and beyond. 

IT systems both underpin and point to Brexit change 

Irrespective of company size, geography or sector, one theme dominates nearly every single aspect of an organisation’s Brexit preparation – that to address the new trading environment, change will be required to IT systems and data processes. 

Conversely, looking to their IT systems and infrastructure, organisations can assess what additional requirements are needed by various business functions to implement the necessary Brexit changes, e.g., customs, procurement and HR. This includes not just the parent organisation, but also in-scope subsidiaries. Examples of this include the need for:

  • A review of all business processes involving a movement of goods across a UK border to determine VAT and duty implications and to ensure appropriate customs and regulatory documentation is in place
  • An assessment and update of key business master data, such as supplier, customer and product records, to ensure information such as Incoterms, health/safety certification and rules of origin is accurately recorded 
  • Tax teams to review rule changes in relation to withholding tax, import taxes and VAT registration requirements 
  • A company’s general counsel to ensure new regulatory reporting requirements are adhered to in areas such as Intrastat
  • Human Resources to consider the new requirements of the UK points-based immigration system for EU nationals and undertake the necessary compliance procedures including ensuring appropriate data about employees is maintained and current
  • IT teams to update IT systems to reflect the creation of new entities and operations
  • Data processing requirements for third party countries

As well as the changes required to systems as a direct impact of Brexit, there will be a secondary set of indirect impacts to consider.  For example, if the cost-of-goods increases, as a result of a duty being applied to cross-border glows, it might be necessary to change the customer pricing strategy, requiring mass updates to pricing and contract master data.  

Brexit will trigger massive changes to the UK’s trading, regulatory, immigration and judicial systems. However, they will not all take effect at the same time. As new legislation comes into effect for different business functions, ongoing IT changes will be required to comply. Organisations in the UK will also need to monitor when reporting and registration bodies begin to take over from their EU equivalents throughout the course of 2021. 

The volume and range of these changes are more concerning when combined with usual IT issues of incomplete or out-of-date inventories. Change will be required across multiple IT systems and providers; legacy systems that may not be easy to change; and, ‘grey IT’ that an organisation may not be fully aware of.

Watch Michael Young discuss key readiness considerations:
(Open in full screen to see captions.)

Brexit will demand agility in system transformation 

An organisation’s ability to respond to the demands of Brexit-driven IT systems transformation will need to factor inevitable disruption around the end of the transition period and beyond coupled with wider market trends. Likely issues include:

  • Cyber attack protection: The disruption, especially immediately after 31 December, is likely to trigger an increase in cyber attacks. 
  • Sourcing IT components: Depending on the level of disruptions at borders, it is possible that replacement parts for IT and IoT equipment including standalone hardware (e.g., servers) may not be available on a timely basis and may increase in cost as a result.
  • Personnel: Resourcing for IT roles may likely be more difficult over the coming weeks and months. The reason for this is two-fold. Firstly, as more companies realise the scale of some of the changes needed to their IT systems, demand for qualified personnel will increase. Secondly, large numbers of these roles have historically been filled by EU staff who now may be harder to obtain after 31 December 2020.
  • Timing: Other scheduled IT systems updates, may need to be delayed depending on available resources. 
  • Availability: Some services from European IT suppliers may not be available outside the EU and existing IT contracts may be declared invalid after 31 December 2020. 

Data flows

Brexit will impact both what type of data needs to be captured to reflect the changing regulatory and trading arrangements between the UK and EU, and how that data can be stored and transferred. 

Unless a data adequacy ruling is granted for the UK from the EU (or some other separate legal agreement is reached), additional safeguards will be needed to protect the continuity of cross-border flows of personal data from the EU into the UK, including non-digital data forms such as paper archives. Knowing the location of data and how it will be protected will become a central issue for EU-based companies sending data to UK firms.

From a UK perspective, mitigating the risk of potential EU and UK investigations of material data breaches of UK and EU citizen data will start to become paramount.

Watch Colette Withey, EY UK&I Commercial & Digital Law Leader, discuss legal and contractual implications including data adequacy:
(Open in full screen to see captions.)

What companies can do to prepare 

To prepare for 31 December and beyond, organisations must prioritise their actions and, in doing so, consider impacts across business functions. Common recommendations are to:

  • Map the Brexit impacts by business function and process against your IT system requirements.
  • Work with existing IT suppliers to understand their Brexit preparations and any fixes or updates they have implemented with other clients and consider whether these will be appropriate for your facts and circumstances.
  • Delay or cancel any non-essential IT systems updates currently scheduled prior to 31 December 2020.
  • Check all IT contracts to spot any restrictive EU clauses that could put you in breach of contract.
  • Set aside an IT budget to manage all the process and legal changes as they appear in 2021 and 2022. 
  • Make sure you have registered with relevant data regulatory authorities and complied with any local regulations that may exist in addition to Binding Corporate Rules and Standard Contractual Clauses for data transfers to third party countries.
  • Understand that not all laws applying to personal data will carry on as is after 31 December and you may now need to take account of the national laws in the countries you operate within.
  • Consider separating EU and UK personal data into different systems. If this is not possible, reduce flows of personal data to the UK from the EU and limit the amount of data processing of EU data in the UK.

For further information, please contact this article’s authors or your usual EY contact.

Summary

Brexit-triggered change is now inevitable for business, regardless of whether an UK-EU trade deal is agreed. Businesses should use the time remaining to assess the wide-ranging impacts for their  IT systems, infrastructure and data processes – and, where possible, take mitigating actions. 

About this article

Authors
Michael Young

UK&I Mergers & Acquisitions Post Deal Cyber Leader, Transactions, Strategy & Execution, Ernst & Young LLP

Passionate about helping businesses protect their operations, data and employees from cyber criminals. Artificial intelligence hobbyist, code tinkerer and sci-fi fan.

Lucy Rosemont

Partner, Technology Consulting, Ernst & Young LLP

Helping global consumer and life sciences organisations transform their businesses by leveraging technology. Women in Technology mentor. Mother of two girls.

Contributors