What Does Brexit Mean For Data Security Laws?

The UK’s vote to break away from the European Union raises many questions about the future of the myriad data security laws affecting the entire continent.

An unscientific social media poll of data privacy advocates, enterprise security practitioners and cybersecurity legal experts goes something like this:

It’s far too soon to know the true impact of the Brexit vote. For the short term, nothing changes. There are many legal and procedural hoops that have to play out before the UK is separated from the EU. For now, companies should stay the course in the work they are doing to comply with both EU and UK-specific data security laws.

Long term, there are bigger considerations: Will this vote lead to another Scottish referendum on independence or the exit of other European countries from the EU? If that happens, then laws like GDPR could undergo significant changes. Some CSO and infosec legal experts have gone as far as to say GDPR in its current form could be doomed, but it is still too early to start hammering nails in the casket.

The history of GDPR itself illustrates some of what we can expect going forward. Drafting of the law included the proposal of thousands of amendments, and the provision requiring that companies have a Data Protection Officer (DPO) proved hard for many EU countries to swallow. The administrative burden placed on organizations has been a particular point of controversy.

Some also criticized the law’s focus on social networks and cloud providers. The argument there is that requirements for handling employee data sufficiently got short shrift.

The security practitioners and legal experts we spoke with said those issues will surely come bubbling back to the surface.

One thing companies need to remember: No matter what kinds of changes happen to the cyber security laws because of Brexit, compliance is the low bar anyway. The data security and privacy measures that must be taken to protect customer information and company reputations are much more aggressive than most regulatory requirements. Comprehensive data level encryption, for instance, will remain a must regardless of what lawmakers do with GDPR, PCI DSS, or the next big regulation.

The requirements of compliance represent the bare minimum cost of doing business in the 21st Century. If companies only worry about checking off boxes, they will fail. Concern Number-one must be to have security in place to protect customer data and intellectual property.

No matter the implications of the Brexit vote, no one is getting off the cyber security hook.