06 Jul 2016

Will Brexit affect the GDPR? Whatever direction the UK takes, businesses must consider what is sensible and overall good security practice, as cybercrime isn’t going away.

Whichever view people of the UK had, it seems that many didn’t anticipate the result of the referendum. Neither result would have provided complete clarity in the direction the UK is heading, but one thing we did know is that the EU General Data Protection Regulations are in position to be applied in May 2018 and EU businesses need to prepare for the transition right away.

Many of you are aware of the GDPR, but to quickly explain for others, this is a set of regulations passed by the European Commission to unify data protection across the European Union and strength the regulation. It was going to replace the UK’s Data Protection Directive from 1995, which is also an important factor of the EU privacy and human rights law.

The historic referendum results came in and Brexit was the chosen path by a majority. Many questions are now being asked about the economy, investments, trade and future relationships, but a key question we need to address is:

If the UK is no longer part of the EU, do we have to worry about the regulations when they are enforced in Europe?

Whilst the Government still needs to invoke Article 50 and then has 2 years to negotiate our new relationship with the EU; it was suggested that a 24-month preparation period would be needed to comply with the new data security regulation in 2018 so we don’t have time to ‘wait to see what happens’ first.

Not surprisingly, it hasn’t taken long for comment to surface from organisations such as the ICO with some strong and thought provoking points.

Safeguarding data

At the annual report launch on 28 June 2016, Information Commissioner Christopher Graham updated the ICO statement:

“Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.

Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

The ICO has hit the nail on the head. UK organisations will continue to grow reliance on digital efficiencies to expand their business and cyber criminals will continue to evolve their techniques. Therefore we need to reform our data protection regulations to recognise these changes and help businesses to reduce the risk of being attacked resulting in a loss of important data that gets into the wrong hands. We still need to work with other countries in this battle (in and outside of the EU) – the more information we have, the more we can understand trends and be better informed to mitigate the risk of criminal success. The GDPR is a great starting point and most current regulation we have access to.

Maintaining competitive edge – in or outside of the UK

‘Speaking on how this might affect the General Data Protection Regulation (GDPR), Michael Hack, senior vice president of EMEA operations at Ipswitch, told

“Now the UK is out it will be governed by a different data protection regime, but it will still need to adhere to suitable data protection measures in order to transfer data to and from the EU. So in many regards, the requirements of the GDPR will still apply and it is back to the business of preparing for it, then.”

Non-EU businesses that trade with the EU will have to comply with EU data protection laws to maintain business. But, how many non-EU countries use UK services because of our compliance with the EU. For these customers, it may not be about us being in the EU, but that we maintain a high level of standard with our policies and we are a country known for our high-standards. We need to maintain consistency with the GDPR to assure our overseas customers consistency moving forward. For those who do not trade with Europe, this gives you slightly less to worry about – but how do you plan to take responsibility for protecting your business, how do other businesses know you are taking the threat of lost data seriously and do we really want to have a multiple tier system of compliance when the criminals maintains a consistently high standard? Will you lose business to other organisations that comply with the EU regulations because it makes a client feel safer even if you are both UK organisations?

Responding effectively to the unexpected

According to a Brexit analysis in SecurityWeek:

“GDPR is likely to go ahead in the UK. Technically, it must go ahead since it will become law before the UK actually leaves the European Union. Practically, it will go ahead because it is the easiest way to maintain ‘privacy adequacy’ and continue easy trading between the UK and Europe. This immediately removes one of the big issues: there will be no need for US companies to move servers from London to The Hague simply to conform to GDPR. “In fact,” comments Drew Koenig, a former corporate CISO and now security solutions architect at Magenic, “the new GDPR guidelines voted in this year and going into effect April 2018 is not geographically focused. Brexit or not, all countries in the agreement, which the UK is, will have to abide by the GDPR rules where EU citizens’ data is housed whether the servers are in France, the UK or the US. Brexit does not remove or lessen security obligations, nor should it.”

Ultimately, the GDPR comes into effect in May 2018 and the earliest we are going to come out of the EU is September 2018. We have a legal obligation to implement EU laws until we leave, so realistically, are we going to implement a regulation and then let it all drop a few months after so much preparation? And, ultimately, is something to protect our businesses from a worldwide threat really such a bad regulation to enforce?

The challenge of cyber crime is not going away, so surely we need to respond effectively. We regularly see news stories of businesses being hacked resulting in the loss 1,000’s of people’s data – do you want to see this continue, or should we take better action?

We have had major input in the new EU regulations, it could take a long time to rewrite our own standards that would still need to have a major alignment with the GDPR.

What now? General consensus

So far, the general consensus is that the GDPR will still go ahead and now that we are leaving we will probably have to align with it more thoroughly.

There is no need to panic, but businesses do need to start thinking about how they are going to implement the changes and progress towards the EU regulation – don’t ignore it– have plans for compliance in motion.

With time, we will have more answers to our questions – but in the mean time, we suggest that you continue to take the EU legislation seriously and utilise the remaining months to implement changes into your business and train staff accordingly so you don’t have an all-mighty rush in 2018.

If you are feeling overwhelmed about your data security, the regulations and would like to understand more, please call us on 01727 843888 or click here and we will be in touch to discuss this further with you.