InfoSec 2017: Brexit+GDPR = business disaster?

Brexit could have disastrous consequences for UK business if attention is not paid to the ramifications of the General Data Protection Regulation (GDPR) at the time of negotiation, a senior legal expert has warned.

Speaking on the GDPR focus panel at Infosec 2017, Cameron Craig, group head of data privacy at HSBC, told the audience of security professionals that “without a data agreement, business would grind to a halt”. Craig elaborated:

The big risk is that [post Brexit] the EU doesn’t recognise UK as a adequate jurisdiction. Hopefully we’ll be whitelisted, and this is a key objective of the negotiation strategy. In the absence of that we’d have to create a treaty on data, like we do with the US.  The bottom line is that we really do need to sort it out!

In a wide-ranging discussion about GDPR and its ramifications, the panel identified a series of key challenges, as well as framed existing and upcoming advice from the ICO.

Steve Wright, group data and information security officer at retail chain John Lewis, said that a wide-reaching challenge in GDPR is the new format and the language around it.

Interpretation is the biggest challenge, we’ve been finding, very unlike an ISO or PCI standard. Another key challenge is around the vast amounts of data on legacy systems – regulation of this area, especially for us as a retailer is not something we’re used to dealing with.

Craig agreed, saying: “Large areas of the GDPR when compared to existing legislation are the same, just couched in different language.” He added:

There is a real challenge for the financial sector here, though, as clearly they had big data companies like Facebook and Google in their crosshairs when they were writing many of these provisions, but data processing in the finance sector can be quite different – especially around consent, for example.

The packed keynote theatre heard an initial positioning statement from the Information Commissioner’s Office (ICO) courtesy of Peter Brown, the ICO’s senior technology officer, who summarised many of the new elements of GDPR, as well as laid concerns to rest about enforcement, reassuring listeners that

…we probably won’t be breaking down doors on May 25 2018 and demanding 4% of your annual turnover.

The ICO has put together a series of briefing documents, including a 12 steps document. One of the steps (number 11) concerns appointing a Data Protection Officer, one of the new elements of GDPR. Brown was emphatic on one rumour in particular:

I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.

As Brown summarised:

Where should you be on GDPR? Well, that depends. It depends on your business, your readiness, and how you have been working under the DPA – which, without naming names saw levels of compliance possibly not as high as they could have been – but in summary, you should be busy!

The GDPR regulation comes into force across Europe on May 25 2018, and sets new standards for data protection, including new, more stringent penalties for companies that breach the guidelines, as well as increased consumer protection around use and retention of personal data.