With large scale data breaches often in the headlines and with GDPR due to come into force in May 2018, what effects will a post-Brexit UK have on the work of information security professionals and those charged with protecting company data?
The UK Brexit vote is a statement of intent (as article 50 has not yet been triggered) that will have many implications, one of which is likely to be a change where data security is concerned.
UK businesses and data security professionals alike were aware anyway of the main implications of GDPR and of the timescales. There was also some certainty about the replacement of the Safeharbour data-sharing agreement with the new EU-US Privacy Shield. Opinions about how Brexit will change things have however been less prevalent and less confident.
Here are some insights into the possible post-Brexit implications for information and data security in the UK.
GDPR Will Still Apply Here.
With the triggering of Article 50 not looking likely for some time and with the negotiations for Brexit possibly taking years, GDPR will be law before Brexit takes place.
GDPR also applies to any country that holds data about EU citizens. We can therefore assume that compliance with GDPR is necessary and should be prepared for.
Several Options For Data Protection Law Models.
When it comes to what form the UK’s post-Brexit data protection laws could take there are a few likely options:
- Going our own way. If the UK were to make its own data protection laws, GDPR would still apply.
- Following the Norwegian model. This would mean joining the European Economic Area (EEA) and accepting the free movement of people and goods. The UK would still be subject to EU data protection regulations and GDPR.
- Following the Swiss model. This would involve securing trade deals to gain access to the EU market for each specific business sector. Swiss data protection laws are very similar to those of the EU anyway and the UK would most likely have to keep pace with GDPR in order to be adequate.
Changes for the ICO?
Until Brexit, the Information Commissioner’s Office (ICO) looks likely to remain part of the Article 29 Working Party, a body of EU data protection authorities. It is not yet clear though how the ICO will participate in the European Data Protection Board which is the successor to the Working Party under the GDPR.
If Brexit occurs without the UK joining the EAA, data transfers from Europe could be affected. The UK could end up having to implement something similar to GDPR anyway in order to gain adequacy.
UK access to law enforcement data could be adversely affected by Brexit due to mistrust of the UK’s surveillance powers and laws by other EU countries. This could mean that UK may have to negotiate data transfer agreements with other EU countries (which may still include Scotland).
What Does This Mean For Your Business?
Until a definite direction for post-Brexit data protection laws is settled upon (which could take years), businesses can only act on what looks certain and / or highly likely.
We know that GDPR will apply anyway and other models we could follow are likely to be quite similar to GDPR. Given the relatively limited time until GDPR comes into force it seems that the best course of action is to keep preparing for it.