After years of negotiations, the UK has left the EU. But while much of the focus was initially on the details of business and trade, Brexit has the potential for sweeping changes to cyber security legislation. Find out what Brexit means for your organisation’s approach to cyber security and how to prepare for any changes.
Does GDPR still apply after Brexit?
The General Data Protection Regulation (GDPR) was enshrined in UK law in 2018 – changing how personal data is processed. The rules and obligations it put in place applied to everyone who processes data belonging to people in the EU, including organisations outside of the EU if they have EU customers. Personal data is any information that can be used to identify a living person – that includes names, delivery details, HR data and payroll – so this meant most businesses had to make big changes in order to comply.
Under the Withdrawal Agreement, EU data protection law was converted into UK domestic law. The government has stated that ‘The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.’ It also emphasised that ‘The UK remains committed to high data protection standards.’
Will organisations face new cyber security legislation after Brexit?
Any UK businesses active in the EU still have to comply with GDPR. That’s because the regulation applies both to organisations with headquarters or branches located in the EU and also to those located exclusively outside of the EU but offer goods and services to or monitor individuals in the EU. But does the government have plans to relax this in the future?
Prime Minister Boris Johnson’s former chief adviser Dominic Cummings made no secret of his disdain for GDPR. He championed vast data collection and saw Brexit as an opportunity for Britain to do away with what he described as ‘idiotic laws’. ‘We will be able to navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs,’ he said.
Cummings may be gone, but some of his thinking remains. In September 2020, the government unveiled its National Data Strategy. It contained a pledge to remove legal barriers ‘real and perceived’ to data use, alleviating data compliance obligations, particularly for SMEs. It also pointed towards a future of increased international data sharing and promised to deliver a ‘radical transformation of how the government understands and unlocks the value of its own data.’
Could divergence from GDPR be a good thing for business?
At first glance, GDPR can seem like a huge undertaking for SMEs, so some business owners might welcome the idea of diverging from the EU regulation. But, while the European Commission (EC) has acknowledged the complexities GDPR poses to some SMEs, it has also argued that businesses should not be exempt from data obligations because of their size.
UK relaxation of these rules could create concerning loopholes and confusion, eroding public trust in smaller companies. Equally troubling is the strategy’s approach to cross-border data transfers, with decisions resting solely in the hands of the Secretary of State (previously requiring consultation between the EC, the Europeans Data Protection Board and member state representatives). This lack of oversight could lead to personal data being sold off to the highest bidder or becoming a pivotal pawn in trade negotiations.
If the UK were to relax local cyber security laws, any businesses that trade internationally would also face the prospect of complying with multiple sets of requirements: one set for UK customers, one for EU customers.
Is the UK likely to relax cyber security legislation?
While there might be an ideological desire in government to relax cyber security legislation, practical considerations might mean that we won’t see any changes just yet.
The Withdrawal Agreement created a six-month ‘bridging mechanism’ that allows the free flow of data between the EU and the UK. But this mechanism will only last until the EU has finished conducting a data adequacy assessment of the UK. A positive outcome would mean that personal data can continue to flow freely from the EU to the UK, without businesses needing to take action. A negative outcome could have major implications for data movement and sharing.
As such, it is in the UK Government’s interest to maintain alignment with GDPR to achieve that positive outcome. But this does not preclude the possibility that it will later seek to diverge from GDPR.
How can businesses prepare for compliance post-Brexit?
The best approach right now is to continue to comply with GDPR. This will mean you remain compliant with laws as they exist, and give you a greater chance of being already compliant with any relaxed laws the UK introduces.
After all, GDPR itself caused a lot of concern back in 2018. But while some businesses struggled to adapt, many of the issues were caused by having only limited existing cyber security frameworks. The businesses that had already implemented rigorous security practices, such as an Information Security Management System (ISMS), were already compliant in most areas dictated by the regulation.
That’s because an ISMS furnishes an organisation with clear, rigorous internal processes that help staff members ensure that data is kept safe and gives them clear guidance if and when things go wrong. And the better your internal processes, the better prepared you’ll be to meet the requirements of any new legislation that may come into force.
Preparing for what’s to come
It’s impossible to predict the future, and Brexit has certainly introduced uncertainty to some areas of business. Cyber security is just one of those areas, but maintaining the strictest information security isn’t just about protecting your customers and instilling trust in your business; it also leaves you prepared for any changes to legislation that might occur in the near future.
To find out more about Information Security Management Systems, take a look at our Beginner’s Guide to ISO 27001, the internationally-recognised ISMS standard, and discover how you can defend your data and your business in a post-Brexit world.
hbspt.forms.create({ portalId: “5498870”, formId: “0a372229-487a-40c1-b0e3-7eadfc1d2592” });
