Economic and InfoSec Implications of Brexit, GDPR
On Thursday, there will be a major vote on whether Britain will leave the European Union, also known as the portmanteau of the words Britain and exit = “Brexit.”
However, whether or not your business is in the EU, you will likely still have to comply with the General Data Protection Regulation (GDPR) that outlines new rules that impact the information security industry and beyond.
Economic Impact of Brexit
Why would they leave? Pro-Brexits say leaving the European Union will restore the country’s identity and its own culture and independence in the world. According to the NYTimes, this argument is often expressed by opposition to immigration.
The supporters of remaining argue that staying in the union is better for British economy. Membership in the European Union allows access to an open export market and foreign direct investment. It also allows London to be established as a global financial center, accounting for 12% of gross domestic product (GDP).
According to the NYTimes, the economy has already been affected, as the pound is at its lowest valuation in seven years. Her Majesty’s (HM) Treasury estimates that a Brexit could cause economic damage of 3.4% to 9.5% of GDP in the next 14 years, according to an article from IFSEC Global.
That makes staying within the EU clearly within the interest of the business and security community. And according to surveys conducted by the Confederation of British Industry (CBI) and reported by the Economist, 71% of small and medium-sized (SME) enterprises want Britain to stay in the EU, while 80% overall vote to stay.
Other specialist trade associations, like TechUK, reports 70% want to stay in the EU, and another survey by the UK arm of the International Chamber of Commerce reports 86% of international businesses would like to remain in the EU.
According to ComputerWorld UK, the UK’s economy is 78% services, with the core of it being data and its free movement across national boundaries, meaning Brexit would certainly affect it.
Information Security Impact of Brexit
Some argue that regardless of whether or not Britain stays in the EU, the newest data protection guidelines will still affect all UK businesses.
The General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018 after four years of negotiations, resulting in the finalized text in December 2015. The GDPR includes stricter rules than the current UK Data Protection Act of 1998 and intends to reform the EU Data Protection Directive, according to ComputerWeekly.com.
Those rules include:
- An obligation to delete an individual’s data based on their “right to be forgotten;” their right to withdraw consent to storing/using personal data
- Companies must give individuals access to their data and provide a copy of any data held by them in order to allow individuals to transfer their personal data from one service provider to another.
- Companies must explicitly ask for consent to collect and hold personal data. And that data must be given freely, not asked for in exchange for using a company’s services.
- Plus, organizations must notify data protection authorities within 72 hours after they learn of a serious data breach, as well as notify any affected users/customers.
There are some major financial penalties for noncompliance with these rules, including up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater, according to ITGovernance.co.uk.
InfoSec Europe: Data Privacy, EU, GDPR & The Global Connected Enterprise
At InfoSecurity Europe this year, I attended a panel discussion about Brexit and the data protection implications, Regulation, Risk & Privacy: Data Privacy, EU GDPR & the Global, Connected Enterprise.
One panelist, Eduardo Ustaran, partner in the global Privacy and Information Management practice of Hogan Lovells, argued that the UK must follow EU protection laws as it’s the only way to be part of the digital economy in a meaningful way.
Another panelist, Iain Bourne of the Information Commissioner’s Office, suggested that the UK might have its own functioning data protection law, separate from the EU. While not 100% GDPR law, it could still be some form of information rights law.
Nina Barakzai, Group Head of Data Protection & Privacy at Sky, argued that organizations must have the free flow of data across all boundaries to get news to people, pay employees, and service customers lawfully.
The panel also mentioned that the US frameworks don’t provide enough protection for data accessed by government authorities - no matter how safe your cloud is, the US government still has access to that data, according to EU court.
They also brought up the point that the GDPR will allow regulators to go after the contractor or vendor that has a breach or security incident, instead of the organization. This is similar to the US’s HIPAA legislation for the healthcare industry that includes business associates in the scope of who is responsible (and liable to be fined or sued) in the event of a data breach.
Either way, the general consensus is that the UK still needs some form of data protection and privacy laws that will enable them to do business within the EU and beyond.