Maksim Kabakou - Fotolia
Following the recent Leave vote in the UK referendum on European Union (EU) membership, information security professionals will no doubt be eager to establish the likely short-term and long-term effects that Brexit will have on UK data protection law and the industry as a whole.
In particular, what is Brexit likely to mean in relation to the European General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive), and what are the practical implications for organisations.
The NIS Directive was formally approved by the European Parliament on 6 July 2016, putting it on course to be transposed into EU member states’ laws by May 2018.
The NIS Directive will impose security obligations on operators of “essential services”, such as transport, health, finance and digital services (which include online market places, search engines and cloud services).
As well as implementing national laws to give the provisions of the NIS Directive effect, EU member states will have a further six months to identify providers of “essential services”.
The timing of this might suggest that the provisions of the NIS Directive will no longer concern UK organisations, but this is unlikely to be the case. The intended outcomes of the NIS Directive – namely increasing cyber security, imposing high levels of risk management and improving co-operation across member states – will no doubt continue to be of great concern to the UK.
For the purposes of the NIS Directive, a more unified approach to cyber security is key. While it is probable that specific provisions will differ slightly, it seems unlikely the UK would not wish to pursue this common goal.
The General Data Protection Regulation (GDPR) was published in the European Official Journal in May 2016, starting a “sunrise period” that will see its provisions take effect across the EU from 25 May 2018.
Of course, the summer of 2018 could now be the time that the UK exits the EU, and it might therefore be tempting to consider the GDPR as largely redundant for UK operators. However, there are two reasons the UK could still adopt the GDPR or GDPR-like legislation:
1. If the UK is no longer a member of the EU, it would be designated a “third country” and as such would have to demonstrate that it provides adequate protection for EU citizens’ personal data.
It is by no means a foregone conclusion that the European Commission would make such an adequacy finding in respect of the UK. This could mean that organisations established in the EU member states would have the same difficulties in transferring personal data to the UK as they are currently finding with transfers of such data to the US.
Therefore, it is difficult to see how the UK could attain “approved” status without adopting at least some of the provisions of the GDPR.
2. The GDPR applies to organisations located outside the EU, but whose goods and services are aimed at EU citizens. Accordingly, any UK organisations selling goods or services to EU citizens will have to observe its provisions or risk penalties (up to 4% worldwide annual turnover or €20,000,000), wherever they are located.
In practical terms, this means the UK is likely to have to reform the Data Protection Act (DPA)1998 to bring it into line with the GDPR, so as not to fall foul of the EU’s requirement for adequate protection of its citizens’ data.
In addition, UK services selling products and services to citizens of the EU will still be subject to the GDPR due to its extra-territorial reach. This was confirmed by the Information Commissioner’s Office (ICO) on the day of the referendum result, stating that “…UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018”.
It is very difficult for security professionals and data protection advisers to second-guess their legal obligations in this rapidly changing area, especially in the light of the current political turmoil. However, it is possible to make an educated guess in relation to two legal developments.
A positive observation is that while specific details of the UK’s post-Brexit data protection law are unknown, it seems likely that any such legislation will take a form that is equivalent at least in part to the GDPR.
Accordingly, organisations can continue to follow the advice of the ICO in respect of how best to prepare, namely by ensuring that they are compliant with the DPA, and to give thought to how they would address the obligations the GDPR would introduce, such as the right to be forgotten, data portability and appointment of data protection officer.
Similarly, the provisions of the NIS Directive seem likely to be implemented at least to some extent to further its common goal.
However, there is more leeway for individual member states in terms of the provisions of implementing national laws they ultimately adopt, the types of organisation to which the directive will apply, and specific obligations.
As a result, there is less certainty for organisations as to what the future holds for them.
The good news for organisations is that central to the GDPR and NIS Directive is the requirement for appropriate security measures, though of course the details are to be finalised.
A prudent approach for security professionals and data protection specialists is to consider what they have in place and the likely gaps.
Providers of “essential services” (notwithstanding that organisations will not know for certain whether the NIS Directive applies to them until February 2019) should take the additional step of at least giving thought as to how they will address the reporting obligations likely to apply to them.
Other than the above, all that organisations can practically do is watch this space.
James Castro-Edwards is a partner at Wedlake Bell.