Companies face cyber security double whammy in Brexit and GDPR
COMPANIES processing and storing EU residents' personal data face two major challenges in the coming years. The first is the European General Data Protection Regulation (GDPR) which comes into effect in May 2018. The other is Brexit.
As it stands, the GDPR will apply to all EU member states. Britain will still be a member of the European Union at that time and therefore GDPR will also apply to it. In practical terms this means that companies in Ireland and the EU can continue to send and receive personal data to and from other companies within the UK and Northern Ireland.
However, once the UK leaves the European Union in March 2019 (the current date for Brexit to take effect unless this date is extended) then things may not be so clear. In effect, after March 2019 the UK will no longer be part of the EU and therefore GDPR no longer directly applies to organisations in the UK and Northern Ireland. However, organisations that are still within the EU will have to ensure that any personal data that they transfer, process, or store within the UK complies with the stringent privacy requirements outlined in GDPR.
To address this challenge the UK intends to update its data protection regime to incorporate the goals of GDPR. In this year's Queen's Speech, it was noted how important data is to the UK economy and that "over 70pc of all trade in services are enabled by data flows, meaning that data protection is critical to international trade".
To reinforce the importance of this the UK introduced the Data Protection Bill in August. This bill is designed to implement the goals and objectives of the GDPR into UK law so that the data protection regime within the UK remains in line with that of the EU.
The question remains though, will that be enough? Under current data protection law, and the upcoming GDPR, it is illegal to export personal data of people within the EU to countries outside the EU unless those countries are part of the European Economic Area, are recognised third countries by the EU with adequate data protection laws, or that there are other binding agreements in place such as the EU-US Privacy Shield or obligations built into contracts.
So, the big question then is will the UK be considered an acceptable third country by the EU after Brexit? While the UK believes the new Data Protection Bill will be sufficient for it to be considered a third country, there are several other UK laws that could undermine this - the UK's Investigatory Powers Act 2016 could prevent the UK's post-Brexit data protection regime to be considered robust and adequate enough for the EU. The Investigatory Powers Act has also been dubbed the 'snooper's charter' due to the wide range of powers given to UK security services such as the weakening of encryption, granting hacking powers to security services, and the requirements for ISPs to store the browsing history for all users for 12 months.
Of course, until Brexit happens and all the negotiations are concluded we will not know for certain what the data protection landscape will be like. Until then it is worth remembering a few points. First, GDPR will remain in effect within the UK and Northern Ireland until Brexit happens. Until then there is no need to make any notable changes. It would be prudent to start identifying what personal data is transferred to and from the UK and Northern Ireland, either directly by your own business or by your suppliers.
Until the UK leaves the EU GDPR will still apply to those companies. Finally, keep an eye on how the Brexit negotiations are progressing with a focus on the data protection frameworks. If it looks like the UK Data Protection Bill will not be sufficient for the UK to be considered a third country then you need to consider different legal frameworks, such as Model Contracts, to continue to use UK-based companies to process personal data. Alternatively, you may need to consider moving your business to companies located elsewhere within the EU.
GDPR and Brexit will potentially bring many challenges to organisations over the coming years, but proper planning and keeping abreast of how talks develop regarding data protection post Brexit will help keep on top of those challenges.
Brian Honan is an independent security consultant with BH Consulting and is one of the speakers at Dublin Information Sec 2017, Ireland’s cyber security conference, addresses the critically important issues that threaten businesses in the information age. For more on INM’s Dublin InfoSec 2017 conference, go to: independent.ie/infosec2017