In today's digital economy personal data is the new oil. Companies see immense value in gathering data about individuals to profile and influence them in their choices of brands and products.
Indeed, as we have seen from the controversy over Facebook and Cambridge Analytica, personal data can be manipulated to influence how people view the world and how they cast their vote. As this episode demonstrates, personal data as the new oil has lots of value but, just like oil, if personal data is leaked or misused it can have major toxic and negative impact on individuals and the general environment.
With Brexit looming, the protection of personal data within companies based in the United Kingdom, including Northern Ireland, is becoming more and more of a concern.
While the EU General Data Protection Regulation (GDPR), which comes into effect in May, brings in more stringent requirements on how companies protect and manage personal data entrusted to them, what guarantees will we have once the United Kingdom has left the EU and is no longer bound by the GDPR?
The challenges we have seen in the UK Information Commissioner's Office getting a warrant to investigate Cambridge Analytica does not provide much comfort or confidence.
Brexit is due to happen in March 2019 but, until then, the United Kingdom will still be a member of the European Union. As such, the GDPR will still apply to companies and organisations within the UK and we can continue to transfer personal data across those borders confident the protections applicable to the personal data here in Ireland will equally apply to that personal data within the UK.
However, once the UK leaves the European Union the situation is not so clear. Despite the recent publication of the 129-page Brexit Agreement, which outlines the terms of the UK's withdrawal from the EU over a two-year transition period, there is little or no clarification around how personal data can be transferred to and from the United Kingdom during that transition period or after it.
This lack of clarity should cause concerns for companies that rely on the flow of personal data into and out of the United Kingdom as organisations within the EU will have to ensure personal data they transfer, process, or store within the UK complies with the stringent privacy requirements outlined in GDPR.
This lack of clear guidance will make this a tough challenge.
Do companies migrate away from UK-based companies to EU based competitors? Or do they wait to see what happens during the Brexit process and hope that everything all works out?
Most people know that hope is not a strategy and this was reinforced on January 9 this year when the European Commission published a Notice to Stakeholders confirming that, post-Brexit, the UK will be considered a "third country" when it comes to the transfer of personal data into and out of that jurisdiction.
This in effect means it will not be possible for EU organisations to transfer data to organisations within the UK unless strict conditions are in place, such as contractually binding agreements between organisations or an arrangement for the transfer of personal data to and from the UK, similar to the US-EU Privacy Shield agreement in place to facilitate similar transfers to and from US companies.
The EU can of course review this position and may determine the data protection regime within the United Kingdom post-Brexit will be robust enough to meet the requirements of the GDPR.
To achieve this goal, the UK introduced the Data Protection Bill in September of last year. This Data Protection Bill, currently working its way through Westminster, is designed to implement the goals and objectives of the GDPR into UK law so that the data protection regime within the UK remains in line with that of the EU.
While the UK believes the new Data Protection Bill will be sufficient, there are several other UK laws that could undermine this.
Notably the UK's Investigatory Powers Act of 2016 could prevent the UK's post-Brexit data protection regime from being considered robust and adequate enough for the EU. The Investigatory Powers Act has also been dubbed the snooper's charter, owing to the wide range of powers given to UK security services such as the weakening of encryption, granting hacking powers to security services, and the requirements for ISPs to store the browsing history for all users for 12 months.
Of course, until Brexit happens and all the negotiations are concluded we will not know for certain what the data protection landscape will be like. Until then it is worth remembering:
• GDPR will remain in effect within the UK and Northern Ireland until Brexit happens. Until then, March 2019, there is no need to make any notable changes.
• It would be prudent to start identifying what personal data is transferred to and from the UK and Northern Ireland, either directly by your own business or by your suppliers.
• Ensure that any of your UK-based suppliers are progressing their own compliance against GDPR. Until the UK leaves the EU, GDPR will still apply to those companies.
• Monitor how the Brexit negotiations are progressing with a focus on the data protection frameworks. If it looks like the UK will not be considered an adequate country, then you need to consider different legal frameworks, such as Model Contracts, to continue to use UK-based companies. Alternatively, you may need to consider moving your business to companies located elsewhere within the EU.
GDPR and Brexit will potentially bring many challenges to organisations over the coming years, but proper planning and keeping abreast of how talks regarding data protection post-Brexit will help keep on top of those challenges.
Brian Honan, CEO of BH Consulting, is one of Ireland's foremost experts in cybersecurity and will be a speaker at Dublin Data Sec 2018 - Ireland's GDPR event - which takes place on April 9, 2018 in the RDS Concert Hall. Please visit www.independent.ie/datasec2018 for further information and tickets