Risky Business: Brexit’s Impact on Cybersecurity and Data Protection

by James Eager

Since 23 June 2016, many words have been dedicated to Brexit’s potential impacts on all things cybersecurity and data protection. Now that the dust has settled, cybersecurity and data protection experts have converged upon a selection of key risks through what appears to be a natural implementation of the Delphi method*. With added value provided by Optimity’s talented subject matter experts, this blog provides an essential guide to the implications of Brexit for the UK’s approach to cybersecurity and data protection, as well as for UK-based businesses.

Uncertainty reigns supreme

At the macro-economic level, the result of the referendum is undeniably causing global discomfort. The pound has significantly weakened, a trend which, among other things, has downstream implications for the US and Japanese export sectors and places additional pressure on China to lower the yuan. Coupled with the thousands of questions that will need to be resolved in the EU-UK negotiations, Brexit is causing, and will continue to cause, substantial uncertainty. For our friends and colleagues in cybersecurity and data protection, this uncertainty is fuelled by a combination of direct and indirect impacts.

Direct impacts – the fate of EU legislation in the UK

UK cybersecurity and data protection legislation has been aligned to EU activities since the initial 1995 Data Protection Directive (95/46/EC). Although this particular Directive will be replaced by the General Data Protection Regulation (GDPR), the EU-UK negotiations will determine the future application of a number of important EU Directives that have already been transposed into UK law (think e-Commerce, e-Privacy, Data Retention and, in the field of cybercrime, Attacks against Information Systems). In fact, for the Data Retention Directive (declared invalid by the CJEU) and the e-Privacy Directive (facing substantial changes through its periodic review) the question is whether UK law will conform to those revised EU instruments.

So, what will happen to these laws and EU instruments? Well, the general consensus is that the UK will not initiate significant changes and if the UK remains in the European Economic Area (a big if given Theresa May’s reluctance to seek a Norway-type arrangement), it would be required to comply with the Directives (and/or their successors) anyway. However, the future is likely to bring legal divergences as the EU and the UK review and revise their legal instruments in these fields.

Sounds simple enough …

On 25 May 2018, months (or even a year) before the negotiations end and Brexit actually happens, the much-heralded GDPR comes into force … just 16 days after the UK is required to adopt and publish the laws, regulations and administrative provisions necessary to comply with the NIS Directive. The UK will have to implement both the NIS Directive and the GDPR.

Right, it’s getting complex now …

It is likely that, at its point of departure from the EU, the UK will become a ‘third country’. This means that the UK is no longer required to apply the GDPR (as it is a ‘directly applicable’ Regulation and not a ‘transpose-into-law’ Directive). However, as a ‘third country’, the UK can pursue a few options to ensure legal data protection compatibility with the EU, and thus ensure free data transfers that are crucial for business:

  1. Seek to obtain an ‘adequacy decision’ on its data protection law. In order to achieve this decision, the UK would need to reform its Data Protection Act such that it is effectively the same as the GDPR. Anything less is expected to bring a high level of challenge from the European Commission, as well as the European Data Protection Board and, if necessary, the Court of Justice of the European Union (CJEU).
  2. Negotiate a deal similar to the EU-US Privacy Shield. In this instance, it is highly unlikely the European Commission will be as accommodating to the UK as it was for the US. In addition, the EU-US privacy shield is still likely to face significant challenges in national courts or the CJEU, based on the bulk collection of data by the US. For the same reasons, a prospective EU-UK deal is likely to be untenable.

Thus, it is likely the UK will choose option ‘1’ and almost fully implement the GDPR.

Irrespective of these decisions, the GDPR will still significantly impact UK companies. The GDPR has strong extra-territorial impacts meaning that, even if the GDPR does not apply in the UK, UK companies ‘offering goods or services’ to EU persons or ‘monitoring the behaviour of’ EU-based individuals—typically by using tracker cookies on their websites (even with the consent of the site visitors)—will be subject to all the requirements of the GDPR. The stick behind the door? Fines of up to 4% of global annual turnover for failure to (fully) comply.

Indirect potential implications – Brexit-associated business risks

Expert opinion converges on the following four key areas of risk for the UK’s cybersecurity industry and the private sector in general.

Workforce. The UK’s cyber skills shortage is a long recognised issue (HM Government, 2014). Thus, it is currently a necessity for UK-based cyber companies to hire talent from abroad. Brexit’s probable free movement implications will hinder the employment of EU nationals by UK-based companies, while restricting opportunities for talented UK nationals abroad. All non-cybersecurity businesses also need talented cybersecurity professionals and will be negatively impacted for the same reasons. Furthermore, universities are already experiencing breakdowns in relationships with EU-based partners on EU funding proposals. This is highly likely to hinder the ability of these universities to produce the talent to fill the cyber skills gap.

Competitiveness. Securing access to the single market will be a top priority for the UK during the negotiations and it is widely recognised that leaving the single market will significantly impact UK businesses. With this in mind, UK-based cybersecurity companies are likely to face difficulties attracting European customers, as well as cooperating at the EU level, which is expected to result in these companies moving some (if not all) operations to within the single market. Furthermore, as documented in our recently published study for the European Commission, cybersecurity is an industry where the US is dominant (43% market share in 2013) and Asia Pacific is rapidly drawing level with the EU. Brexit will benefit neither the UK nor the EU in terms of contributing prominently on the international cybersecurity stage.

Privacy and security. A key EU-wide risk, highlighted through our research for the European Commission, is maintaining respect for the EU’s highly developed approach to fundamental human rights. Brexit poses a significant risk to this approach in the UK. First, a post-Brexit UK will no longer be bound by the EU’s Charter of Fundamental Rights; it may even choose to leave the European Convention on Human Rights. Both require that surveillance powers must be proportionate to any harm to privacy. Second, as raised previously by a group of esteemed academics, the UK government’s approach to implementing surveillance powers has not necessarily respected democratic processes. Thus, the protection and privacy of personal data in the UK is not guaranteed post-Brexit; a huge risk for all businesses and consumers. This is further aggravated by calls from UK agencies for measures that would undermine encryption and, thus, online security. Equally contentious in the EU, there is a risk of dangerous divergence between the UK and the EU in this related regard.

Vulnerability. Uncertainty presents opportunities for exploitation; opportunities that cyber criminals will not turn down lightly. Brexit-related phishing scams are already in play and research by AlienVault and Unified Security Management found that over a third of InfoSec professionals surveyed feared increasing cyber vulnerability in the UK, primarily as a result of reduced EU information sharing and cooperation efforts. In light of the privacy and security risks highlighted above, all UK businesses and citizens could experience significantly reduced protection, with an increase in cyber-crime complementing an increase in government surveillance.

These implications will require constant attention from both government and industry players over the coming months and years as Brexit becomes a reality and the risks mature. With an international presence, Optimity can support you and your business get to grips with these risks, monitor them and prepare for Brexit.

If you would like to discuss how we can help, contact James Eager on james.eager@optimityadvisors.com or 020 7553 4800.

With special thanks to Professor Douwe Korff for his support on this blog.

*The Deplhi method is a research method that uses the collective knowledge of a panel of experts to converge towards a “correct” answer.

James Eager is a Consultant at Optimity Advisors. He is an experienced researcher and trusted advisor to the public, private and voluntary sectors, having successfully undertaken expansive research and transformation projects in the fields of cybersecurity and data privacy, justice, home affairs and healthcare. James is driving Optimity’s EMEA engagements in the field of cybersecurity and data privacy. These capabilities include in-depth insight into the EU and UK cybersecurity markets, as well as knowledge of industry cyber risks, including how to deal with people, process and policy. James regularly presents at national and international conferences. Coming soon … James will present on the EU’s response to cybercrime, at the 16th European Society of Criminology conference (Münster, 23.09.2016), and this year’s developments in cybersecurity at InfoSec Week for European Cybersecurity Month (London, 26.10.2016).