Could Brexit Affect Your Business’ Data Security?
Britain may have voted to leave the EU, but the Brexit doesn’t mean that the UK will not still have to follow the EU General Data Protection Regulation. This regulation will still apply to UK companies dealing with the EU.
You have no doubt heard about the new data protection rules, which allegedly are tougher than the current UK Data Protection Act 1998. Known as the General Data Protection Regulation (GDPR), these new rules were agreed in Brussels in December 2015 and will come into effect in 2018.
Obligations on Your Organisation
You will already be aware of obligations on your organisation to fulfil a range of individual rights. Under the new EU regulation, you will have an obligation to perform erasure of data in response to the ‘right to be forgotten’ of individuals, who have the right to withdraw their consent to your storing, using or sharing their personal data. Then, there is also the obligation to ensure that any personal data which your company holds has been collected after gaining explicit, rather than implied consent.
According to the data protection regulation, data collected should be freely given, rather than under duress – such as under the threat of being unable to use business services. It should also be requested in a fashion which is plain and clear, providing users with a distinct knowledge of the fact that they are being asked for and giving their data.
You will also be obligated to allow any individuals to see the data which you have collected on them, and release a copy of any data you hold on individuals in a format that is commonly readable, in order to allow users to exercise the right of data portability – transferring personal data from one service provider to another.
Any serious data breaches should be reported by notifying the relevant data protection authorities within seventy-two hours of their occurrence. In the UK, data breaches should be reported to the Information Commissioner’s Office. It is also your obligation to inform any affected individuals should a data breach affect their fundamental rights.
Awareness of GDPR in Wake of Brexit
Once you take the time to think about how wide-ranging the demands of this new regulation are on both the processes and data function of IT departments, you may consider negotiation with the CFO or CEO in order to create a budget to resource the GDFR-compliance program.
However, just as you feel that you are making good progress – hopefully faring better than the forty-four percent of IT professionals who indicated that they were only vaguely aware or even completely unaware of the new rules in a recent poll – you’re hit with the revelation that the UK has voted to leave the European Union. Perhaps your company does not have subcontractors, operations, or subsidiaries in the EU, and all your data is held on servers in the UK. Now that Brexit has occurred, does this new regulation apply to your business?
Regardless of the Brexit, GDPR is still going to affect any UK businesses which offer any type of service to the EU market. This is also regardless of whether or not your business stores or processes information in either the EU or UK.
Who Does the Data Belong To?
First of all, in the wake of Brexit, you may find yourself needing to explain to your marketing or product development employees and colleagues that what triggers the applicability of GDPR is whether or not the data that you handle is about individuals in the EU or has the potential to identify individuals who may find themselves as part of the EU, and not necessarily regarding whether or not your company is part of or trades with the European Union.
If your data collection employees and colleagues do not understand that the GDPR applies to who the data is about, rather than where the data is stored, you could run the risk of having to spend a lot of your cybersecurity budget having to defend data which should never have been collected in the first place. You may also find that your organisation currently holds data that breaches the GDPR. This can result in your organisation being liable to fines of up to four percent of your global turnover.
Assumptions that EU data protection rules need not be applied due to Brexit may be genuinely held, but they are also legally unwarranted, which could cause indecisiveness at board level. Although the UK has voted to leave the European Union, your organisation has a short amount of time – less than eighteen months – to decide whether or not GDPR applies and implement it.
What Brexit Means for Data Protection
Even though Britain has voted in favour of Brexit, UK businesses which offer any services to EU clients – regardless of whether the data is held in the EU or the UK – will be obliged to adopt rules which are more stringent than the ones currently imposed by the UK Data Protection Act which is currently in effect. Without adopting the GDPR, trade between British businesses and the EU will be off the table.
Along with that, more than a third of professionals in information security fear that the decision to leave the EU will make UK businesses more vulnerable to cyberattacks. According to a recent survey, professionals are concerned because Brexit could mean that the UK will no longer benefit from sharing intelligence with other EU member states. More than a fifth of professionals surveyed support EU legislation surrounding data protection, and believe that it benefits them and the work that they do.
Has Brexit Affected Your Business?
Whilst two-thirds of UK entrepreneurs believe that Brexit will not have much effect on their business, others are concerned that the UK’s exit from the EU will have an effect on their company’s cybersecurity. In the survey mentioned above, a quarter of professionals who responded were worried that the data held by their organisations would suffer from less security, and over twenty percent felt similarly regarding the customer data held by their organisations.
In light of this, many security professionals view the upcoming introduction of the GDPR in 2018 in a positive light, believing that certain stipulations of the regulation, for example data protection by design, will be beneficial to UK businesses – regardless of whether or not they trade with the EU. When it comes into effect in 2018, the GDPR will have the potential to significantly affect and alter how businesses which trade with the EU handle their data.
Post-Brexit Security Steps
Whether or not your business trades with the EU, if, like many UK entrepreneurs you are concerned about the cybersecurity concerns of Brexit, now is the time to act. Since Brexit may or may not result in an increased risk of cybercrime, hacking and other attacks on UK businesses due to a reduction of intelligence sharing between the UK and EU member states, it’s important for your business to be one step ahead with security and data protection.
In light of the decision to Brexit, now is the optimum time for your business to make deals with other companies who may be able to provide you with intelligence and information regarding cybersecurity even if intelligence sharing with the EU is reduced. It is also vital for your organisation to begin putting plans in place now and anticipating any potential attack which may take place post-Brexit, including providing employees with extra training regarding cybersecurity and how to spot risks and potential attacks.
Whether or not your business will be obliged to apply the GDPR is dependent on whether it trades with EU member states or plans to in the future. Although currently, trade status for the future between the EU and UK is largely unknown, any business which currently does trade with EU countries will be just as liable to comply with the GDPR, regardless of the Brexit vote. It’s also important to understand that the process of leaving the European Union could take a number of years, in which time the UK – and UK businesses – will still be required to comply with and follow EU law and legislation. It is also worth noting that the UK will be required to rewrite a large number of votes, and therefore may still adopt some EU laws or their own version of EU laws – including the GDPR.
The UK’s decision to Brexit has definitely shaken and divided the country. With a huge divide amongst voters when it comes to factors such as geographical location, age and education, the UK is currently trying to come to terms with a decision that many never expected to happen. For business owners, the decision to Brexit could have a whole range of effects on business and data security, including level of risk and compliance with EU regulations. Regardless of whether your business trades with the EU, it’s important to weigh up the potential consequences of Brexit on your company and deal with them quickly.