Maksim Kabakou - Fotolia

Security Think Tank: Brexit – An opportunity to clean house

What are the pros and cons of Brexit for information security professionals and data protection?

The Brexit debate managed to overshadow many things in the run up to the announcement.

If you work in security or data protection, then speculation about the implications for European Union (EU) directives, legislation and regulation will have been top of mind.

This is especially with the long-awaited General Data Protection Regulation (GDPR) being announced and the UK business response to the much tougher approach to protecting the data of people who lend it in good faith to organisations.

Data protection is frequently seen as an onerous activity. This is a great shame and means that the opportunities afforded to businesses to exploit the information assets they are managing – inside a framework of respect for privacy, need for accuracy and top quality pragmatic protection – are lost.

A recent survey from Infinigate and GFI indicated that 52% of responding organisations use The Data Protection Act as a compliance driver. That 52% is worrying, considering this is law and not an option.

GDPR will very probably have come into force prior to the UK’s exit from the EU. There is nothing to indicate that the UK would not choose to adopt this best practice anyway, regardless of the final exit date.

Given that the UK will probably need to obtain an adequacy finding to be able to continue to handle international data, adoption of GDPR seems like an imperative. 

It is a shame that the reaction to data protection in general is not more positive as this situation offers us the chance to really review how we handle data, culturally speaking.

Our Data Protection Act is still in force and consumers are looking to legislation and increasing pressure on data handlers to up their game significantly in the protection of their information. Given the GFI statistic mentioned above, this is good thing.

This is a time for security professionals to start collaborating with data protection and audit teams. Data protection is not the sole reserve of data protection teams – it requires buyin from a whole organisation and the crossover points need careful collaboration and meaningful dialogue.

If consumers are expecting the government to enforce stricter legislation around data protection than they currently are – and the All-Party Parliamentary Group findings would certainly seem to indicate that this is the case – then there is another layer of this post-Brexit world we need to ensure we understand if we are to continue to support our organisations’ commercial viability on the international stage.

Only then can we reassure a nervous consumer population that the UK is more than capable still of upholding our responsibilities – or even that it is more robust, having used the opportunity to look root and branch at security culture, practices, policy, procedure and collaboration.

Brexit may have left people feeling uncertain, and it would be cavalier to think nothing would change, but is that what we would really want anyway? No change means no improvement and no improvement means escalation of threat.

We must see Brexit as an opportunity to clean house, build new methodologies that are practical and pragmatic and offer the reassurance that both consumers and the world is looking to the UK to deliver.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Privacy and data protection