As with most aspects of the EU, unhindered cross-border data flows are something most U.K. firms just take for granted these days. Thanks to the cloud, huge volumes of corporate data is stored in third party providers’ data centres, frequently not even in the UK. Aside perhaps from those in highly regulated sectors, corporate users don’t think twice about accessing that data, and sending it to and from partners and customers on the continent. However, the U.K.’s departure from the world’s biggest trading bloc raises new questions about the legality of such transfers.
In a new report, the House of Lords has urgently requested the government keeps its data protection regime on par with the EU after Brexit, to avoid any interference in these flows. If the government agrees, as predicted, it will mean the GDPR is here to stay for good, making compliance an urgent priority that may require IT leaders to revisit their security controls.
As the Lords explained in their Select Committee report, any arrangement post Brexit which causes greater “friction” between the UK and EU would put the former at a competitive disadvantage whilst also hindering cross-border co-operation between law enforcers and the security services. With the economy in a precarious position and the digital sector contributing £118 billion and employing over 1.4 million as of 2015, the government therefore desperately needs to pursue “full regulatory equivalence” with the EU when it comes to data protection.
The “least burdensome” option for doing so would be to seek a so-called “adequacy decision” from the European Commission, confirming that the UK's data protection rules would offer an equivalent standard of protection to that available within the EU. Failure to do so could lead to the UK being forced to hammer out a Privacy Shield/Safe Harbour-style agreement, as the U.S. did. However, such an agreement would take years to finalise and, as recent judgements have shown, could still end up running into major problems.
The good news is that the government seems to recognise the importance of ensuring the free flow of data to and from our biggest trading partner. The Queen’s Speech noted that it will be looking to “put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
One sticking point is the Snoopers’ Charter, which legitimises mass state surveillance in the U.K. and may currently not include enough safeguards to satisfy EU adequacy requirements.
GDPR: Here to Stay
That said, it would be inconceivable for the U.K. government to sacrifice free data flows and endanger the digital economy. Senior European officials have also stated their backing for unhindered post-Brexit data flows.
So, what does this mean for GDPR compliance? In short, the new data protection regulation is here to stay, past Brexit and beyond. If the U.K. government wants to ensure unhindered data flows with the EU, it will need to update its data protection regime whenever the EU does. The Lords even suggested that watchdog the ICO try to continue its role on the European Data Protection Board so that the U.K. still has a say in how the GDPR evolves post Brexit. After all, the U.K. contributed a great deal originally to the drawing up of the GDPR.
The latest research doesn’t look good, revealing that only 9% of U.K. organisations that believe they are prepared for the GDPR actually are. So, what needs to be done?
From a cyber security perspective, it’s all about following industry best practices and “the state-of-the-art” in preventing unauthorised access to and disclosure of your customer data and ensuring the confidentiality, integrity, availability and resilience of systems and services. Typical areas to consider include end-user education; data encryption; network, endpoint, server and gateway security; regular back-ups and patching; tighter access controls; formal incident response plans; and continuous monitoring and testing. Common security frameworks like ISO 27001 and the NIST Cybersecurity Framework can help.
Centrify’s expertise lies in privilege management, application and end-user access controls, helping to stop breaches that abuse privilege, target applications or start on endpoints, so we’d always recommend:
- Adaptive multi-factor authentication (MFA) for servers, applications and endpoints
- Single sign-on through SAML and Kerberos
- A “least privilege” access policy to minimise risk (including MFA)
- Privileged session recording and monitoring
- Access request workflow
- Mobility and device management
- Identity Broker to enable identity consolidation
- Privilege elevation and shared password management
- Integration with existing SIEM and ITSM solutions
- Secure remote access to apps and infrastructure for end and privileged users
Centrify is running a monthly blog series, focusing on a different part of the regulation each time. In our first blog, we explained the scope of the new law. In our second blog, we addressed the first key step, Data Mapping. Our third blog covered Brexit and its impact on the GDPR.