What does Brexit mean for data security

How will Brexit affect my data security?

Just as the big unfolding news story of the past 12 months has been Brexit, the biggest data security development has been GDPR. But what’s the landscape going to look like after Brexit?

Of course the exact shape of post-Brexit data security will depend on the kind of Brexit that is (or isn’t) agreed on. Whatever the conditions of the final deal, there is already a layer of protection in place- this is called the Data Protection Act 2018. Enforced by the ICO, this was brought into law in parallel with GDPR and is essentially a UK-only GDPR: whatever happens to the UK/EU relationship, this will stand in UK law and means most areas of data security will remain unchanged. There are some scenarios, however, where the transition would be less smooth.

The first and most drastic scenario would be a no-deal Brexit. While this is seen as unlikely by the UK government, the possibility still haunts the headlines and keeps political and business leaders up at night. The data protection equivalent of a ‘no deal’ would be an ‘inadequacy’ ruling by the EU against the UK- this would mean that the UK is judged to be an unsafe place to send personal data. An ‘undecided’ ruling would also leave the UK judged as ‘inadequate’ in the eyes of EU data security policy. This would mean, under GDPR, European firms sending data through the UK businesses or organisations could be fined- and would have a significant negative impact on the British economy. The same situation could theoretically be reversed: if the UK government judges the EU to be an unsafe (or not confirmed safe) it could potentially restrict the transfer of data to the EU. However the government has already confirmed it’s likely to approve this and the adequacy decision, barring any dramatic changes in the situation, is likely to be formality only, at least in Whitehall. Brussels has so far been less clear on their position but it’s likely that only a very messy final Brexit deal will lead to dramatic changes in data security rules- at least for a few years.

So what does this mean for me?

For the immediate future, most UK businesses can breathe a little easier- though it would pay not to forget about Brexit entirely. Once the UK formally leaves the EU, there could be the possibility of a future policy change on either side of the channel. The current priority for UK businesses should be to keep abreast of GDPR and follow the terms of the final Brexit negotiations: while as always keeping on top of their own data security.