Subscribe
About

'No deal' Brexit puts data at risk

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 20 May 2019

UK prime minister Theresa May is giving MPs one more chance to vote on a Bill that would pave the way for a Brexit deal in early June.

ITWeb Security Summit 2019

Security Summit 2019 has secured eight top international keynote speakers to discuss the latest trends and threats facing SA's security community. We have Graham Cluley, an independent computer security expert and public speaker, Ofir Hason, CEO and co-founder, of CyberGym in Israel, and Pete Herzog, MD of the Institute for Security and Open Methodologies in the US and many more. To find out more, and to register, click here.

However, should this fail yet again, a 'no-deal' Brexit will make the UK a 'third country' which no longer falls under the General Data Protection Regulation (GDPR), the European Union's (EU's) data protection regime.

Any organisation that moves data between the UK and a county within the EU needs to be aware of what will change if the UK effectively signs out of the GDPR.

So says Grant Kirkwood, CTO and founder of Unitas Global, a managed cloud services provider. "While a no-deal Brexit wouldn't necessarily mean UK citizens have no access to data stored on servers in the EU, as with most aspects of Brexit, we simply don't know.'

He says many companies began moving their data centres to prepare for Brexit right after the referendum was passed in 2016.

"Most of these projects have been completed by this point, so the biggest complication that enterprises will face in the event of a no-deal Brexit is changes to data sovereignty laws.

"Once the UK leaves the European Union, they will no longer fall under GDPR regulations. I suspect in the first few months, the UK will develop their own version of the EU's GDPR, but given the initial purpose of Brexit, at some point they will begin to diverge."

Speaking of UK businesses whose data is already stored on servers within the EU, Kirkwood says with the Brexit date coming up in a couple of weeks, companies that have not already moved their data centres will not have time to do so before the exit.

He says the best course of action is to prepare legally. "After GDPR was implemented in May 2018, you may remember receiving updated data privacy policy notices from EU-based companies. The same slew of updated policies is bound to happen as Brexit unfolds."

This will be especially important for UK-based companies storing their data on EU servers because they will no longer fall under the regulations of GDPR, but their data storage facilities will. Informing customers of the data laws applying to them and covering all legal bases will be an essential step following 1 June, he explains.

Global commerce

Although they are not subject to the GDPR, where they store their data still matters, adds Kirkwood. "We live in a world of global commerce and expecting EU citizens to never interact with UK business is unrealistic. Even if a company based in the UK won't fall under the jurisdiction of GDPR, many of their consumers will. Keeping them up to date on the data sovereignty laws of the UK following Brexit will ensure a company is legally covered should any complications arise between the EU's GDPR and the new data sovereignty laws that are bound to be established in the UK."

He says if a UK-based company is storing its data in the EU that data will still be subject to the rules and regulations of GDPR. "The jurisdiction of GDPR is geographically-based, not individually-based. To give another example, a UK citizen living in the EU will still be subject to the laws of GDPR because of their physical location regardless of their nation of origin or citizenship status, and the same will be true for businesses."

Kirkwood says before 1 June, there is still time for organisations to approach access to data from a legal perspective. "Keeping customers informed and updating privacy policy documents will be the biggest protection in the event of a no-deal Brexit. Once the dust has settled, UK legislators will likely begin drafting data sovereignty laws unique to the UK and companies will need to adjust accordingly."

With so much uncertainty about the future, one approach he suggests companies can take is migrating their data to a public cloud provider, such as Azure or Amazon Web Services. "Before doing so, companies need to connect between in-house data centres, private cloud servers and public cloud servers to ensure a smooth migration."

Share