Spit five feet inside the IT department of a larger organisation right now and you'll hit someone with a reasonable claim to dislike the onerous EU General Data Protection Regulation (GDPR).
Styled as the most significant pieces of privacy law yet enacted, few would argue that mostly large organisations affected by it have had to invest serious time and stress staying on the right side of a regulation that has the power to hit them with fines of up to four percent of turnover for serious breaches when it comes into force in 2018.
But here's the rub: according to a range of experts polled by Computerworld UK, Brexit wouldn't make a jot of difference. Organisations currently affected by it will still have it implement the GDPR or face a range of negative consequences including added costs, unwanted complexity and, potentially, business exclusion. Worse, even those who meet its demands after Brexit could find demonstrating compliance turns into a long and fraught experience.
It's no surprise that Brexit advocates aren't fans. The EU loads Britain with too much costly regulation, they argue, and there can surely be no bigger, badder example of that than the GDPR. But if the UK votes to leave the EU, the strong consensus is that UK enterprises will still face having to implement the most far-reaching piece of privacy law in European business history without the UK's national Government having any guaranteed input into its future direction.
We had difficulty getting many IT or security vendors to go on the record about the issue - mention anything to do with Brexit and most run for the hills for fear of appearing to take sides - but there was near universal agreement off the record that Brexit would seriously complicate an already demanding implementation path.
According to Deema Freij, global privacy officer at US-based content collaboration firm Intralinks, Brexit would leave UK negotiators with a number of choices about how to relate to the GDPR, each with its own difficulties.
In principle, the large enterprises affected by the GDPR (SMEs below 250 employees being largely exempt) would commit to implement it anyway but unfortunately being outside the EU would open up legal and compliance issues which mean this route would be not be as simple as it appears.
It sounds like the ultimate catch - being forced to implement something without the path to achieving that being clear. Multi-nationals would be in the frontline of this but any enterprise that moves customer or employee data to and from the EU would be affected.
"Having left the EU, it would be some time before global and UK companies would know what to do on the issue. During that time, companies would be largely unaware that they might be operating against the law, increasing the risk of technical data breaches," she told Computerworld UK.
Sign up for Computerworld eNewsletters.