Yesterday, I attended the British Computer Society 20th Annual Legal Day organised by the Information Security Specialist Group at the glorious Royal Air Force Club. It surprised me how such a dry legal and technical subject made such a deep emotional connection at a human level. People passionately care about these subjects because it impacts our personal identity and how we protect our individual rights within the rapidly evolving digital landscape.

My interest in attending was to get an accurate understanding of those legal aspects relating to GDPR, E-Privacy and how that will apply post-Brexit. Many of my clients are wrestling with this challenging subject and it has a real impact on all businesses large and small.

After the initial impetus of GDPR compliance in May last year, the challenge is for organisations to manage their data compliance so that it becomes part of the corporate core values. For the more progressive organisations, we are starting to see a shift away from grudging compliance towards taking on more accountability and realising the competitive advantage of taking a more ethical approach to processing private data.

We have seen a rise in privacy advocates and activists who are litigating to protect individual rights. Recent cases in the headlines have included fines of £500k for Facebook, £385k for Uber and £500k for Equifax here in the UK, and larger fines across the rest of Europe including the headline-grabbing fine of €50m for Google in France. IBM estimates the average cost of a data breach at £2.7m and the cost per record of £108 – Source: 2018 Ponemon Study: Cost of a Data Breach -https://www.ibm.com/security/data-breach. When preparing your incident response plan the MITRE attack framework is a useful way to prepare for a variety of attacks – https://attack.mitre.org/matrices/enterprise.

When it comes to Brexit, deal or no-deal the UK will become a third-country and a data transfer mechanism will need to be in place to move data from an EU country for processing in the UK. It is not yet clear if the EU member states will formally approve the UK ‘adequacy’ to process data – despite the UK law being a mirror image of the EU law.

Also, the existing arrangements for transferring data between the EU and USA under the ‘Privacy Shield’ will also no longer apply when the UK exits the EU. It seems that most FTSE 100 companies have quietly made arrangements for switching the processing of private data within other EU countries, but are reluctant to talk about it given the political sensitiveness. Overall the advice offered by government www.gov.uk/euexit is seen as disappointing and most of the information there is skewed towards preparing for a no-deal scenario. The data privacy regulations are already complicated enough, and Brexit has only added a further layer of uncertainty. Managing data protection risk is a tricky business. Hold on to your hat and expect an interesting ride as the UK exits the EU.