Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

How could Brexit impact GDPR and data privacy?

SimonLeech

As a British citizen living in the Netherlands, the majority decision by the British people to leave the European Union following the referendum has left me with a number of concerns regarding my future identity in an EU without Great Britain. One of those concerns is how my personal data stored in the UK will be handled post-Brexit.

Indeed, as information security professionals, there are a number of questions that will come up regarding the relevance of the UK to General Data Protection Regulations (GDPR), agreed upon by the 28 states of the European Union earlier this year, and due to become enforceable in early 2018. Will UK companies still need to comply? Should we bother spending time implementing controls to make us GDPR ready, or can we better spend our time elsewhere? Will the UK come up with an alternative to GDPR, or is data movement and data sovereignty no longer a concern post Brexit?

London Cityscape.JPG

 All of these questions are of course very relevant, and whilst it’s still early days with no clear guidance as to exactly what can be expected when GB leaves the EU from a GDPR perspective, there are definitely a number of aspects that should be taken into consideration.

Firstly, regardless of whether UK companies are legally required to comply with GDPR, the guidelines that the regulation puts into place are solid guidelines for any organization – protecting customer data via a privacy by design principle, a mandatory data breach notification without undue delay, and data protection impact assessments are all good best practices, and should be followed wherever possible.

Secondly, and maybe more importantly, the GDPR isn’t about the location of data. Instead it’s about the subject of data. So if, as a UK business, you are gathering and storing data about EU citizens, there is a chance that you will be expected to deliver on the regulations introduced by the GDPR anyway, even if the data is stored in a UK datacenter – in fact I could imagine that some EU based organizations may even see this as necessary cost of a UK business taking part in free trade agreements across EU borders – so if you’re not GDPR compliant, you might find yourself losing business customers.

Thirdly, since (at the time this article was published) the UK hasn’t officially started the process of withdrawing from the EU, and it is expected to be a multi-year process, there is no guarantee that the UK will be fully separated from EU before GDPR comes into legal effect in May 2018. Therefore it would still make a lot of sense to investigate GDPR compliance efforts in order to avoid a potential last minute rush in 2018.

Of course at the moment this is all conjecture. Until the powers that be have spoken, any opinions on what will or won’t happen with regards to citizen data when the UK leaves the EU are just that – opinions. So, for what it’s worth, my opinion is that the UK government should seriously consider implementing GDPR as is, or at least introducing a UK specific version of the GDPR to replace the UK Data Protection Act, seen by many to be less stringent than GDPR. And UK based businesses looking to continue with business in the EU should continue to consider the rules that comprise the GDPR to be as legally binding as they were before last week’s referendum. In time we will receive more and more clarity on how regulations such as GDPR will apply post-Brexit, but until then, it's worth paying close consideration to how you can make you business data safe and secure from a GDPR perspective.

For further information on what GDPR means for businesses, please look at the earlier Grounded in the Cloud blog on GDPR and Safe Harbor here and a discussion about how senior executives feel about GDPR here, or download the recent Economist white paper covering digital transformation and information privacy, sponsored by Hewlett Packard Enterprise.

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
HPE at Worldwide IT Conferences and Events -  2017
Learn about IT conferences and events  where Hewlett Packard Enterprise has a presence
Read more
View all