The EU is implementing a major upgrade of its cyber and data protection laws in 2018. This includes but is not limited to the GDPR (General Data Protection Regulation) and the NIS (Network Information Systems) Directive. This is not the only challenge for UK and Irish businesses.
There is also Brexit to contend with. The latest negotiations will address the legal basis on which businesses may send personal information to or through the UK after the country leaves the EU.
Currently businesses may only export EU citizens’ personal information to jurisdictions that the European Commission has determined offer an equivalent standard of privacy protection to that available under EU data protection law. That will still be the case after GDPR enters effect on May 25, 2018. A separate directive on the protection of data processed for law enforcement purposes is due to become law earlier in May and the NIS Directive focussed on cyber security controls for critical infrastructure will also come into play.
The UK Government are seeking to ensure that businesses sending personal information to or through the UK are not left marooned when the country leaves the EU. They are hoping to convince the Commission that UK law post Brexit will provide sufficient privacy protection, and is seeking an “adequacy decision” that will allow the data transfers to continue unabated.
Their efforts include a 15 page discussion paper seeking to underline the importance of data transfers in determining the UK’s future relationship with the EU. Very little detail is offered and appears frail in comparison to the 260 page GDPR (One of many regulations it seeks to provide comfort on).
Convincing the EU is far from straight forward, in Nov 2016 the UK Government introduced the Investigatory Powers Act, nicknamed the “Snoopers’ Charter”. This facilitated thousands of police officers and tens of thousands of tax inspectors to see which websites UK citizens are visiting. It mandated for this personal information to be maintained by telecommunications operators. The controversial law also grants information access to officials at the government bodies that pay unemployment benefits and old age pensions, and that regulate gambling, farm workers, food health and air safety.
In 2018, the ICTTF will host a number of cyber threat summit events throughout the UK and Ireland in order to support businesses in dealing with the combined challenge of Brexit, Legislation and Cyber Threats.
More info announced on Oct 24th at the www.CyberThreatSummit.com
The Court of Justice of the European Union ruled that similar powers introduced under an earlier law, the Data Retention and Investigatory Powers Act of 2014, were incompatible with EU law. This is indicative of which way the court would lean if asked its opinion.
This challenge is not limited to the UK. Businesses around the world are planning for the effects of Brexit, particularly those that send EU citizens’ personal data to or through the UK for storage or processing.
On March 29, 2019, the UK will cease to be part of the EU and, barring any agreement or arrangements to the contrary, the export of personal data from the EU to or through the UK will be banned!
The stakes are high, from an EU perspective the flow of personal information will contribute to 3% of EU gross domestic product (GDP) by 2020 and it is estimated that the NIS Directive alone will add €500bn to the GDP of Europe.
The UK Government estimates that 75% of the UK’s cross border data flows are with EU countries. The UK is disproportionality important to the worlds data economy as it accounts for over 11.5% of the data flow and just 0.9% of the worlds population and just 3.9 % of the worlds GDP.
It is true that some businesses that don’t want to bet on the outcome of the UK’s negotiations with the European Commission have other expensive options to ensure that they can continue moving their customers’ and employees’ personal information through the UK.
From a cyber threat perspective the awareness for businesses throughout the UK and Ireland is growing. Leadership are gaining an understanding and appreciation for the unique characteristics that cyber threats represent. The vast array of sophisticated and pedestrian attack vectors and the multitude of threat actors is only matched by the eclectic number of motivational factors. The inextricable link of cyber threats to geopolitics is now factored by risk professionals in the decision making process.
Marry this with almost a perfect storm of cyber legislation and businesses have a significant challenge. There is always an opportunity in a challenge and Ireland itself is already seeing benefits with major financial services companies such as Barclays establishing and expanding significant basis in Dublin.
“Dublin is the top destination of the leading financial services companies that have already made statements on where they plan to set up their post-Brexit EU bases” Financial Times, Monday 10th July 2017
The UK and Ireland today enjoy a special economic relationship and the reality is businesses large and small rely on each other.
It is now time to be prepared NOT scared!