Cyber security and data protection may be impacted by the United Kingdom's decision to leave the European Union.
Following Prime Minster Theresa May's announcement at the Conservative Party Conference on the 2nd of October, the UK will trigger Article 50 of the Lisbon Treaty by the end of March 2017, meaning the UK will leave the EU by Summer 2019.
In this factsheet we discuss the current EU Position on Cyber Security and data protection, GDPR post-Brexit, possible adverse effects on Cyber Security in the UK, and the UK's post-Brexit options and 'adequacy' of Data Protection.
Current EU Position on Cyber Security and data protection
In order to combat cybercrime, the EU has implemented legislation and supported operational cooperation, as part of the ongoing EU Cybersecurity Strategy.
The (UK) Data Protection Act 1998, implements the EU Data Protection Directive. The EU’s General Data Protection Regulation (GDPR) is due to come into effect on 25 May 2018, which is predicted to be during the negotiation period before the UK formally leaves the EU.
It is likely that the GDPR will have direct effect and will automatically become part of UK law. The European Union has set up a website Key Changes of General Data Protection Regulation (GDPR) which summarise the main changes as follows:
- You will have an obligation to perform data erasure in response to individuals’ exercise of their “right to be forgotten” i.e. withdrawing their consent to your storing or using their personal data and to request their data be deleted.
- The obligation to ensure that any personal data you hold has been collected after obtaining consent that was explicit, rather than implied. The data must be freely given, rather than under the duress of not being able to access your services. It must also be requested in clear and plain language and asked for in a distinctive “standalone” fashion.
- You will also have an obligation to allow individuals to see their own data, to release a copy of any data you hold about them in a commonly readable format, so they can exercise the right to transfer personal data from one service provider to another.
- You will have to notify the relevant data protection authorities within 72 hours – in the UK it’s the Information Commissioner’s Office – about serious data breaches and any affected individuals if the breach affects their fundamental rights.
The scope and liability are as follows:
- Applies to all companies processing EU subject’s data regardless of company location.
- Organisations can be fined 4% of turnover or 20million Euros whichever is the greater.
It is important to note that a fine of 4% annual turnover/20m Euros is only for the most serious of infringements like breach of requirements relating to international transfers or basic conditions like consent. There is a less stringent – although painful – fine of 2% annual turnover/10m Euro for specified lesser infringements.
Will UK companies have to comply with GDPR post-Brexit?
In Cyber Skills threat and compliance issues for UK post Brexit John Cohen (from New Statesman Tech) writes:
“Firms trading in the EU are today held accountable by the UK Information Commissioner Office (ICO), and also the EU General Data Protection Regulation (GDPR), which was adopted on the 14 April 2016 and so the two-year countdown to compliance is now on. The headline difference between the ICO and the GDPR is the extent to which firms can be fined for data breaches. The UK ICO (Information Commissioner’s Office) states 2 per cent of global turnover, whereas the GDPR is regulated to 4 or 5 per cent. Whichever number you take, these are significant chunks of change regardless of the size of your organisation, with the GDPR probably taking the edge in terms of keeping you awake at night."
“Will Brexit free you from this worry? Probably not; if your firm trades in Europe or holds data related to any EU citizen, then both the ICO and GDPR will continue to apply. From a cyber perspective on Brexit, has this cleared anything up? Food for thought perhaps, but nothing yet is clear.”
Michael Hack, senior vice president of EMEA operations at Ipswitch is in agreement. He told SCMagazineUK.com:
“Now the UK is out it will be governed by a different data protection regime, but it will still need to adhere to suitable data protection measures in order to transfer data to and from the EU. So in many regards, the requirements of the GDPR will still apply and it is back to the business of preparing for it”.
Possible adverse effects on Cyber Security in the UK
SC Magazine asks How will Brexit affect the cyber security industry in UK and Europe? –the key areas identified are:
Brain Drain of skilled Cyber Security personnel
“One person who thinks it will be bad for cyber-security and technology in general is Simon Crosby - CTO and co-founder of Bromium. The incredible technical talent in the UK just became a lot cheaper for foreign countries to hire…. I expect many of them to leave the UK permanently for countries that will pay what they are worth, such as the USA”.
Cutbacks in Research and Training
“There is another longer term worry: Over a third of research funding for universities in the UK comes from the EU. In the absence of new funding from the UK government, there will be a huge impact on university's ability to deliver highly skilled tech workers to the UK economy”.
Greater vulnerability to Cyber-attacks
“Meanwhile, 38 percent of those who work in IT security fear that the outcome will make the UK more vulnerable to cyber-attacks since they no longer benefit from intelligence sharing with other EU states, according to research from Unified Security Management and AlienVault”.
However, “most information security professionals appear unconcerned with the impact of this referendum on UK cyber security,” said Neil Harvey, vice president of EMEA at Tripwire. “This could mean that they believe that the UK's approach to cyber security won't change significantly either way, but it's also possible that EU hasn't provided enough transparency around the impact of new regulations in the near term to make a difference to professionals that grapple with these issues every day.”
International Business Times has an article Brexit cyber security experts predict rise in cybercrime after changes to security law:
“Brexit is likely to have a negative impact on capable guardians, given that the seamless cooperation of cybercrime task forces across Europe, considered a priority to address criminal threats in cyberspace, now has a seam in it. This could hamper prosecution of cross border cybercrimes, and most such crimes cross borders. Complex issues of transnational law enforcement funding could degrade police performance, and the UK's need to renegotiate 80,000 pages of legal agreements with the EU may strain legal resources."
The UK's post-Brexit options and 'adequacy' of Data Protection
Bird and Bird law firm has an article: Brexit data protection and cyber security law implications which gives us the following options:
"The European Free Trade Association (EFTA) model: For Norway, Iceland and Lichtenstein (the existing non-EU members of the European Economic Area known as the EEA) this currently means that they have each implemented the Data Protection Directive and the e-Privacy Directive into their respective local laws. It seems unlikely that the UK will be able to avoid accepting the General Data Protection Regulation (GDPR) as is if this option is adopted."
"The Swiss model: Switzerland is not a member of the EEA -Switzerland's laws have been recognised as "adequate" by the European Commission (EC) – i.e. adequately protective of the rights of EU citizens thereby enabling transfers of personal data from EU data controllers to Swiss based importers to legitimately take place. It remains to be seen whether, when and how Switzerland will update its current data protection laws to mirror the GDPR to ensure that its 'adequacy' decision is not revoked by the EC after the GDPR comes into force, although the Swiss government has already indicated its intention to seek to retain its adequacy status after May 2018. The U.K. would face the same decision in relation to GDPR adoption were it to adopt a Swiss style relationship with the EU."
"The 'go it alone' model: the UK might now seek to strike deals with the EU independently or via collective organisations, However, recent history tells us that, when it comes to the question of data transfers, EU regulators and courts take an extremely dim view of countries which do not adopt EU-strength data protection laws. The current stand-off with the USA in respect of the now invalid Safe Harbor data sharing arrangement is a case in point…. The question will inevitably arise soon after the GDPR's 25th May 2018 introduction whether the UK laws offer data protection 'adequacy'. The answer will almost certainly be that they do not… Looking at each of these options it seems likely that either the GDPR or a law that looks very like it will be required in the UK after Brexit takes effect".
The impact of the Brexit vote upon the UK Information Commissioner’s Office
The large number of UK businesses which are likely to fall under the jurisdiction of the GDPR could find themselves in the position of being subject to guidance and/or being judged by a body which does not include their own national regulatory body.
How can the IoD help?
Find out more in our Cyber security factsheet
Take advantage of our negotiated Cyber and data risks insurance
Read our cyber threat report Cyber Security - Underpinning the digital economy
The IoD Cyber Security Summit 2017
Learn about the emerging global and national trends in the cyber crime arena, and receive practical steps on what you can do to protect your business at the IoD Cyber Security Summit 2017 on 27 March at 116 Pall Mall.
Book tickets here
© Institute of Directors. All rights reserved.