Although no state has ever withdrawn from the EU yet, it seems that the United Kingdom may be about to make the leap. While the referendum is in just three months, now is the time to consider the implications of a possible Brexit decision for the entire UK tech sector and, particularly, for the state of IT security on the national level.
First, potential UK exit from the EU raises several questions regarding compliance with the new EU General Data Protection Regulation and whether any national cybersecurity policy and strategy that replaces it could be as effective.
Since 2012 the EU parliament and Council have been working to achieve more consistency in data protection regulations across the Europe, as well as help organisations reduce their exposure to data privacy risks. Finally, in December 2015 the text of the EU General Data Protection Regulation (GDPR) was agreed, thus marking the greatest improvement in EU privacy laws since 1995. The new regulation is going to become a game-changer for European companies in terms of transparency and accountability, since it requires organisations to respond to vulnerabilities more quickly and notify EU authorities within 72 hours in case a data breach happens, as well as establish a single national office where complaints about data protection can be made. Some of the most notable changes in the GDPR also include increased fines for non-compliance, which can be up to four per cent of their global revenues, stricter regulations for getting consent to collect data, and the right of data subjects request erasure of personal data related to them.
If the UK leaves the EU, the EU General Data Protection Regulation will no longer apply to Great Britain. However, this will not mean that data in UK will be any less of a target than it is now. Rather, Brexit will put greater pressure on the UK government to protect its citizens’ data but very possibly with less international cooperation. Besides, as a well-integrated player in the global economy, the UK will have little option but to fall into line with international trends and rules sooner or later. State-level data protection policies often extend beyond geographical border to international operations, business partners, service providers and data centres overseas. These factors will force the UK to create a new legal framework, enhancing existing levels of national data protection and improving enforcement against abuse.
IT industry experts agree that any new UK cyber security strategy will require a national Chief Information Security Officer. A designated UK CISO will need to have an intimate knowledge of the cybersecurity industry, in order to have the qualifications and experience needed to prepare the legislative IT security framework and oversee the establishment of unified cyber security regulation at state level.
At an international level the UK CISO’s role will be to serve as an ambassador representing Great Britain in negotiating international cybersecurity agreements with Chief Information Officers of other countries. The CISO will also have the important role of supporting the UK tech sector at home and promoting it abroad in order to maintain Britain’s reputation as a world leader in cybersecurity.
In summary, as far as the UK tech sector is concerned the key consequence of British exit from the EU will be that the government will have to undertake a root and branch overhaul of its national and international cyber-security infrastructure to ensure the UK continues to have a leading role in the field of data protection.
Michael Fimin, CEO and co-founder of Netwrix
Image Credit: Flickr/Sébastien Bertrand