There are many uncertainties regarding the UK’s recent referendum vote to leave the EU. Only time will tell if the benefits of “taking back control” will outweigh the short term costs. But this isn’t a political blog, and so we won’t be discussing the wider implications of leaving the EU. Here, we’re interested in Brexit and what it may mean for IT security.
Probably the most important topic is the EU’s General Data Protection Regulation (GDPR), which recently passed into law. Companies have until May 2018 to comply.
Ironically, the GDPR is about giving citizens back control of their own data, and providing a European-wide regulatory environment. A single set of rules will apply to all member states of the EU, and these rules will apply to both EU and non-EU companies that process the data of EU residents.
The definition of personal data is broad: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Incentives for companies to comply is strong – they can be given penalties of up to 4% of worldwide turnover.
What are the implications of Brexit for the GDPR?
Ultimately, it seems likely that Brexit will be very problematic for UK companies that store the data of EU residents. The UK will have to establish its own regulatory regime for the protection of personal data once GDPR no longer applies. Consequently, UK companies will have to comply with two sets of regulations – a significant burden. It may be simpler for new companies with an EU focus to set up in Dublin rather than the UK. Of course, they’ll still have to deal with the new UK regulations, but they can focus on the EU as it is a far larger market.
There are many other EU-related privacy and security issues that will be affected. The European Cybercrime Centre (EC3) encourages the cooperation of law enforcement agencies in fighting cybercrime. Cybercrime is no respecter of national borders, and so cooperation is essential. How the UK will be involved post-Brexit is unknown, but inevitably cooperation will become more difficult.
Also, the EU and the US are currently negotiating the EU-US Privacy Shield agreement – the replacement for Safe Harbour which was struck down by the EU’s Court of Justice last year. Brexit will leave the UK without an agreement with the US on data protection for its citizens. Again, the UK will need to set up its own agreement.
The digital world is rapidly shrinking, and trans-national cooperation is essential in matters relating to the transfer and security of our personal data. Unfortunately, the UK may end up paying a heavy price in lost opportunities as IT companies find it easier to establish themselves in an EU country. An additional incentive is that it may become more difficult to obtain skilled employees in the UK if work visas are required, rendering a slow migration across the Irish Sea almost inevitable. The Celtic Tiger may live again.