The majority of the UK voted to leave the European Union last week. In addition to all political and economic impact that follows Brexit, there is a question about how Information Security and Data Privacy will be affected. Amid the chaos, there is good news in this field: most likely EU data protection will still apply.
While other aspects of the UK might be radically affected by the decision taken last week, Information Security and Privacy might have dodged most of the chaos. This might be because of the already global nature of information in businesses.
The first thing to consider is that nothing has already happened from the legal point of view. The now famous Article 50 has not been triggered and there is no clear indication when this will happen. The United Kingdom will remain a full member of the European Union for an undetermined amount of time and all privileges and obligations will still apply. This means that the General Data Protection Regulation (EU 2016/679), which will apply in full force across the EU on the 25th of May, 2018 will need to be implemented. The Information Commissioner’s Office has already indicated that GDPR has to be implemented in British law. Even after Brexit is materialised the UK will need to keep a sort of parallel legislation that is compliant with GDPR in order to access the European Single Market.
Is quite important to stress that controllers (the companies themselves using and collecting information) will be responsible for using processors (the third-party entities processing or capturing information) that comply with GDPR. Therefore, EU companies will, for compliance, only select companies that comply with GDPR requirements. The processors can be outside of the European Union, but they need to provide the level of privacy and security as requested as agreed by the EU. This makes yet another case to keep compliant with EU privacy regulations, even when these regulations might not apply directly to companies based in the UK.
More Brexit effects on data security
While it’s most likely that data privacy regulations might stay similar to the ones from the EU, there are two main issues that might still unfold:
1. There might be an even deeper shortage in IT Security personnel if free movement of people is restricted. The British industry is already lacking enough personnel in data security, and this gap might not be filled in people from the EU might not have easy access.
2. Shared intelligence might be limited. Currently, the UK is an integral part of the EU Agency for Network and Information Security and the European Cybercrime Center. It is still unknown in which capacity the UK will continue cooperating and benefiting from these organisations.
There is a lot of speculation about how this will affect businesses in the UK and Europe. However, until all this is known, it’s important to remain calm, keep business as usual and amend our Business Continuity Plans for any changes that might still come.