"If I were running a company I'd set up in one of the 27 countries. If leave happens, I have an office in a country [in the EU]. It will cost me because I'll have to hire some lawyers but they will muddle through."
Some UK firms would likely create shadow companies to demarcate data for the same of simplicity, a complicated and expensive solution designed to make data handling easier. Firms from beyond the EU will simply avoid setting up in the UK at all.
"US companies will say I can't set up my company in the UK anymore because there is this barrier. I have added this layer of legal uncertainty. I am going to set up in France instead."
According to Brett Hansen, Dell's executive director of data security, in the end the GDPR comes down to whether it's a good idea over and above the issues of legality or politics.
"At some point companies are going to want to protect their data because it's good practice. The GDPR is a forcing function but it's a good idea because you will be better able to protect your company in terms of lawsuits and loss of customer data," he says.
"They are enforcing what should be good practices. You need to show that it [data] is protected. That's not anything crazy," he adds while admitting that for Dell and companies like it the GDPR had proved to be "good for business."
In Dell's view the GDPR is simply part of a larger and growing patchwork of regimes that impose demands on data security and management. "GDPR pushes everyone to get to that base level of protection."
Brexit and the GDPR - losing influence
The question remains, however - would not being in the EU make any difference? If companies are able to create a framework, however expensively assembled, that makes it possible for the UK to meet the GDPR's demands by the back door, surely Brexit is a side issue. They will build the GDPR into their thinking because it's a good idea anyway.
Longer term, it would mean that a layer of the country's largest firms would find themselves on the receiving end of a Regulation over which the country's politicians have no direct influence. The UK could reasonably ask for input but it is unlikely it would have any more influence than countries in the EEA. Most likely, the UK's local Regulations might converge with GDPR in some way although that could prove politically contentious should it be extended to cover smaller businesses at some point in the future.
In the long run, it is clear that in the short run Brexit will cede a period of regulatory uncertainty that could take a minimum of two years to clear and almost certainly longer. This alone will add expense and might cause some companies to port their operations to the EU until things become clearer.
Sign up for CIO Asia eNewsletters.