Brexit, Information Security and the European GDPR

Author: Dr Steven Winstanley, Security Consultant, Sapphire

The status quo means that the Data Protection Act 1998 remains in force and that the General Data Protection Regulation (GDPR) is still on track to be adopted in May 2018. Assuming GDPR fails to be implemented before a Brexit cut-off date, the UK government has the option to adopt the legislation or not. This adoption only means the protection of natural persons in the UK will be aligned with the principles of the European Union; and that this could demonstrate “adequate protection” to EEA (European Economic Area) citizens’ data. The UK government could adopt a modified GDPR to remove some undesirable “anti-business” clauses, but this would then effect “adequate protection” of EEA citizens’ data.

Adopting the GDPR does not mean that the free movement of such data will be automatically granted to the UK.  With regards to the free movement of data between EU countries it would depend if the UK was a member of the EEA e.g. similar to Norway; or considered a “safe third country” providing adequate protection of EEA citizens’ rights e.g. similar to Canada.  If we fail both, then organisations would have to adopt “contract-based EU model clauses” or “binding corporate rules”, (the latter being unlikely) e.g. similar to organisations in countries like India.

UK organisations operating in the EU will need to review their internal data transfers, terms of business, online operations and the territorial application of privacy laws.

EU/US Privacy Shield agreed last week will apply to EEA countries, but not to countries outside this zone. If the UK resides outside the EEA, then an EU/UK Privacy Shield could be created, but in the short-term it is more likely the UK would be considered a “safe third country”.

In simple terms, how should an organisation form a strategy for information security with regards to the new GDPR regulation when considering Brexit?  Under The GDPR Chapter 1) Article 3) Territorial Scope, it describes:

This Regulation applies to all organisations in the EEA, even if they are processing the data outside the EEA.
This Regulation applies to all organisations outside the EEA if they are offering any goods or services to persons in the EEA, or monitoring person’s behaviour within the EEA

This means that IF you are handling EEA personal data AND doing EEA business; then you will be regulated under GDPR by a “supervisory authority” in the EEA.  This would be on top of any data protection laws in the UK.

In summary, it is prudent for organisations to plan for the adoption of tighter privacy laws across all options; this being equivalent to GDPR compliance in May 2018. Organisations should review & update current administrative and technical controls. Most importantly under GDPR’s accountability heading, organisations need to demonstrate information security compliance; and under GDPR’s mandatory breach reporting requirement, solid detective controls need to be implemented.

For further information around the GDPR, visit our website: