Will Brexit cloud issues around GDPR compliance?

On 23 June, UK citizens took to the polls to vote on the country’s future membership of the European Union, resulting in a narrow win for Brexit.

One of the main arguments employed by the “Vote Leave” campaign was that a vote for Brexit was a vote for the UK’s legislative sovereignty: the days of Britain being compelled to enact laws handed down from its European masters in Brussels would be over, they said. If the pro-Brexit camp’s arguments were to be believed, the UK would once more be a sovereign state.

As discussions around Article 50 take off and uncertainty clouds the UK, IT professionals may be wondering how this decision will affect the recently enacted EU General Data Protection Regulation (GDPR). This became law on 25 May 2016 – just 29 days before the UK referendum on our EU membership. As of this date, organisations had two years to achieve compliance or risk huge fines and opprobrium from regulators, partner organisations and consumers alike.

Or that was the plan, at least. But does the new Brexit scenario muddy the waters? With the impending lengthy process of leaving the EU stretching out ahead, should British companies delay taking steps towards GDPR compliance until the UK’s future is clear?

In the midst of a whirlwind of complex questions on costs and benefits, this answer at least is simple: if Britain does indeed leave the EU, the vast majority of UK companies would still be bound by the GDPR. The text of the legislation clearly states that it applies to any organisation trading in the European Union, regardless of where that organisation is based, meaning that companies in a post-Brexit UK would need to comply with the GDPR in the same way as any US, Norwegian or Swiss organisation seeking to do business in the European Union.

So with less than two years to ensure compliance in time for 25 May 2018 deadline, British companies would be well advised to start preparing for the GDPR immediately (if they haven’t started already).

Although two years may seem a long time, IT teams are faced with the challenge of achieving compliance in the face of a complex web of cloud solutions and usage. As such, if you ask IT pros about their confidence levels around achieving compliance, they are understandably a little edgy. Recent research from YouGov and Netskope found that almost 80 per cent of IT professionals in medium and large organisations are not confident of ensuring compliance in time for the May 2018 deadline.

Part of the reason for this nervousness goes back to the high levels of cloud use within modern businesses, as cloud apps pose particular challenges. Cloud apps create unstructured data which, by their very nature, are more difficult to manage. However, IT teams are also aware that unstructured data are explicitly included within the GDPR and therefore require special attention.

But how can you hope to control something you can’t see? The same research discovered that almost a third of IT professionals admit that shadow IT is rife in their organisation, meaning that employees are using unauthorised cloud apps and creating unstructured data which IT must first discover, then manage. To date, only 7 per cent of IT pros questioned had implemented a solution to this issue.

As for what those solutions might look like, blanket block policies are not an option because they nullify the huge productivity gains offered by cloud apps. Balance is desirable, enabling continued use of cloud apps and at the same time ensuring that all data, both at-rest and in-transit, are protected.

Under the GDPR, companies are required to take active measures to protect their data. Legal arrangements such as policies, protocols and contracts are not sufficient to guarantee GDPR compliance. Instead, organisations must ensure data protection and compliance in all areas by implementing deliberate organisational and technical measures. Known as ‘data protection by design’, this extends beyond traditional security measures aimed at ensuring data confidentiality, integrity and availability.

Controlling and securing data in cloud apps is integral to GDPR compliance. That means closely managing employees’ interactions with the cloud as a starting point, so IT teams must first:

  • Discover and monitor all cloud applications, both sanctioned and unsanctioned, in use across the business;
  • Know which personal data are being processed by employees in the cloud – for instance, customer information such as name, credit card details, address, or other forms of personally identifiable information (PII);
  • Secure data by setting intelligent policies to ensure that employees are not using unmanaged cloud services to store and process PII. These policies should be sufficiently granular to prevent unwanted behaviour, while enabling compliant use of the cloud;
  • Coach users in best practice so they adopt apps approved by IT, without seeking alternatives or workarounds, and
  • Use a cloud access security broker to evaluate the enterprise-readiness of all cloud apps and services. This guarantees that all data are protected both at-rest and in-transit.

Despite the shadow of uncertainty cast by Britain’s impending secession from the EU, this much at least is certain: UK firms trading with EU member states will need to comply with the GDPR when it comes into force in 2018. With the regulation finalised and that deadline looming on the horizon, more organisations and vendors are recognising the business-critical consequences of the GDPR for data protection and control.

With no need to wait for the details of the final Brexit deal, IT teams can now take full advantage of the two-year grace period to make preparations to ensure GDPR compliance before penalties for transgressions come into effect. But even with this margin, achieving compliance will still be a challenge for any organisation using the cloud.

Whatever the outcome of the Brexit process, getting a grip on cloud app use across the organisation will remain a crucial element to avoid falling foul of the GDPR and is arguably the best place to start the journey towards compliance.

Jonathan Mepsted, managing director UK, Netskope

Image source: Shutterstock/Wright Studio