Maksim Kabakou - Fotolia

Security Think Tank: Brexit – a mix of challenges and opportunities for infosec

What are the pros and cons of Brexit for information security professionals and data protection?

For information security professionals and organisations, Brexit brings its own challenges and opportunities. Fortunately, we are used to working in a fast-changing landscape, and the task ahead will be to deal with more change.

Withdrawal from the EU brings some opportunities. It means you can look to review and refine your processes and go for “best of breed”, rather than blindly following regulations. You may have the chance to speak with UK regulators and legislators to shape the future legal landscape, and help them create frameworks that allow innovation.

Also, if a future points-based immigration system incorporates cyber security, it could also bring in more skilled professionals from around the world.

However, it does still mean that UK businesses handling EU citizens’ data will continue to be bound by EU regulations, such as the General Data Protection Regulation (GDPR). The legal and regulatory environment may get more complicated in the interim as the Brexit process evolves, and professionals will have to navigate their way through it.

Here are a number of actions you can take to capitalise on the opportunities and mitigate the risks:

Demonstrate understanding and leadership: Brief your board and employees on the value of the EU-related work for future trade. Your current security initiatives add value, help the business and protect information, irrespective of Brexit. Your organisation must still meet its compliance obligations.

Review contracts with suppliers: Ensure that contracts have a review period, that there is flexibility to change contract terms and conditions, and that you are prepared to vary the contract at that review time. Once the UK leaves the EU, you may need to vary terms and conditions (T&Cs). Use this time to get prepared, have the draft variances ready and approved by your in-house legal teams and regulators (if required), and discuss them with the suppliers in advance.

Collaborate: Collaboration with legal, compliance, HR and relevant business functions can solve problems before they occur. Collaborating with future legislators will help to shape the future of the industry in a way that suits you.

Plan for the future: Create a vision of the market and industry landscape post-Brexit. Keep up to date on legal changes by attending events and talking to regulators. Find out what your future obligations may look like. Define one or more scenarios, get buy-in from senior managers and, using an agreed scenario, work with the business to prepare for the future.

Review your GDPR project(s): Identify changes that may include using an EU national to serve as a data privacy officer (DPO) to discuss how your organisation can meet its obligations. Start to think about the jurisdiction you may wish to select as your EU data protection authority. Work with your board and legal team to help them in their decision-making. Ensure that your DPO is not part of your board or your cyber security team, so they can provide neutral, independent oversight.

As the UK’s relationship with the EU evolves, your business must evolve with it. Planning is the key to achieving this with minimal stress. Information security professionals should not only look at the effect of Brexit on their businesses, but also their potential influence on the UK’s policies in future. 

Adrian Davis is managing director for Europe at (ISC)2. ........................................................................................................................

Read more on Privacy and data protection