Skip to main content

How CSOs can overcome data protection uncertainty challenges post-Brexit

(Image credit: Image Credit: D Smith / Flickr)

Brexit has been chomping at the tails of data-driven businesses for long enough – but are they prepared for life on the other side? Cyber Security Officers on both shores of the English Channel have been tirelessly eyeing the challenges that lay ahead, ready to rise to a new era in data management. But they can’t navigate these alone. It is those who lead collaboratively with their legal and data counterparts who will conquer.

The deal on the future trading relationship between the UK and EU was reached on Christmas Eve 2021, and was largely welcomed in the hope that it would provide greater transparency, trust and confidence in the Digital Sector. But the reality is that much confusion is still afoot. 

At the end of June 2021, the EU declared that the UK’s data protection laws offer a high level of data protection and validated the transfer of personal data between the EU and the UK. 

A Digital Europe survey in November 2020 found that 91 percent of respondents transfer data outside of EU countries and 6 out of 10 transfer data to the UK, highlighting the broad impact of the trade deal on data flows. All businesses, large and small, regardless of industry are implicated. Now that the adequacy agreement has been adopted, have all the uncertainties been erased? 

Cushioning uncertainty with agility  

Preparation starts with education and understanding the UK’s position not as anomalous but rather the same as other countries outside of the EU, managing data flows across borders. The EU GDPR has been retained in UK law, post-transition period and will remain open to independent review. 

But there are a few key implications to be noted on the UK’s GDPR requirements. While the principles are the same, UK GDPR rules on personal data transfer between the UK and European Economic Area (EEA) also apply to controllers and processors outside of the UK. This refers to those offering goods or services to individuals in the UK or monitoring the behavior of individuals taking place in the UK – and vice versa. 

Even if the EU recognized the UK GDPR as a strong regulation, the way in which UK businesses interact with European data protection authorities has changed. The bottom line is that businesses are being forced to rethink transfer of data and the protections employed from both sides of the fence.

By virtue of leaving the EU, the UK has added another layer of complexity to the environment, leading to greater infrastructure complexity. This will require combining the power of three essential knowledge sets including security, data and legal to lead the way. 

Perhaps the hardest part of this is the general level of uncertainty. For example, while the UK GDPR applies, it could at some point choose to replace the UK GDPR with something completely different. This would require much more radical changes from European businesses and regulators alike.

Meanwhile, as the UK gets to grips with its new position in the data jurisdiction, it is likely that it will over time create new governing bodies, policies and regulations – and businesses will have to keep up with any changes. It could be that a rethink around relationships and communication is in order when it comes to reporting, for example. 

The real challenge that CSOs face is knowing how to build a ‘future-ready’ digital infrastructure, one that complies with current laws but is agile enough to be adapted with future laws. The key is letting customer need dictate your choice of technology rather than the law in play. 

Take data protection, for example, not having put in place the necessary mechanisms to identify, track and anonymize data is a serious matter and along with this data trust, while challenging to achieve – according to a recent Talend survey, only 35 percent of the respondents always trust t he data they work with – has become a must-have. 

But not just because of the regulations. Successful brands are those that respect their customers. They not only govern and protect their customers' personal data to avoid fines but understand that privacy is a game-changer when it comes to a successful customer experience. To transform data regulations into a business driver, organizations first need to understand the data they are using and make sure it is reliable. However, according to the same survey, ensuring data quality remains the biggest issue for 58 percent of the UK respondents. 

For this, these brands will likely over-index on technologies including cloud and ML-aided automation. Not only can these technologies enable powerful analysis on all of their data sources, databases, and applications but help to manage security and privacy. What’s more, these technologies make it easier to process and analyze structured and unstructured data, whether historical or real-time, so brands can better predict attacks and respond as they happen.

Learning the lay of the land collaboratively  

Just as the introduction of GDPR brought stakeholders across businesses together to ensure complicity, creating more dynamic, data-driven businesses – Brexit can be seen as a similar opportunity. Slicing through the uncertainty with a collaborative, multi-faceted approach will ensure businesses are covered from every angle. 

This is when collaboration with the legal and policy leaders is critical. As our regulatory landscape continues to evolve, working very closely with policy and legal to make the right decisions from a holistic viewpoint is absolutely critical.

Security, supply chain, and risk management are all hot topics as they look to understand precisely what the partners with whom they share their data do with it – because ultimately, they are responsible for this. Spending more time with privacy specialists is going to be essential when it comes to getting this right.  As the old saying goes, a problem shared is a problem halved. 

The truth is, it is not possible to eliminate all threats and keep the business running, nor create the perfect digital infrastructure. Rather, the emphasis should be on being prepared for every eventuality and poised to adapt.

As we look ahead to our post-Brexit futures, being prepared means organizing on a business, national and regional level, positioning to protect organizations, employees and citizens. Managing complexities effectively will better prepare businesses to find the root cause of an incident or attack when it happens. Speed and agility continue to be business-critical.

Anne Hardy, Chief Information Security Officer, Talend (opens in new tab)

Anne Hardy, Chief Information Security Officer, Talend.