How security teams can manage data protection post Brexit
EU and UK data-driven businesses no doubt breathed a sigh of relief with the EU recently approving the continued flow of data between the EU and UK.
But the news is just one hurdle as Cyber Security Officers (CSOs) and information security teams both in mainland Europe and the UK consider challenges that lie ahead and prepare to flex as necessary in a new era in data management. Now more than ever, it is the security leaders that work collaboratively with legal and data counterparts who will conquer.
Although the deal on the future trading relationship between the UK and EU was reached on 24 December 2020, during the first six months of 2021 there was still a lot of confusion around data.
A survey released in November 2020 found that 91 percent of respondents transfer data outside of the EU and 60 percent transfer data to the UK, highlighting the broad impact of Brexit on data flows.
Thankfully on 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before between the EU and the UK, in the majority of circumstances.
Uncertain times ahead call for collaboration
Now that the adequacy agreement has been adopted all uncertainties have not automatically been erased. Many businesses, irrespective of size or industry are implicated. Preparation is key to ensuring continued data protection. The UK’s position is not unique but rather the same as other countries outside the bloc, yet also managing data flows across borders. The EU GDPR has been retained in UK law, post-transition period and will remain open to independent review.
However, there are some key implications within the UK GDPR. While the principles are the same, UK GDPR rules on personal data transfer between the UK and European Economic Area (EEA) also apply to controllers and processors outside the UK. This includes those offering goods or services to individuals in the UK or monitoring the behavior of individuals in the UK -- and vice versa.
Even though the EU has recognized the UK GDPR as a robust regulation, the way in which UK businesses interact with European data protection authorities has changed. The end result is that businesses are having to rethink data transfer and the protections enjoyed from both sides of the fence.
By leaving the EU, the UK has added another layer infrastructure complexity, and now needs to combine the three essential knowledge sets of security, data and legal to meet new challenges head on.
Perhaps the hardest part of this is the general level of uncertainty. For instance, while the UK GDPR applies today, there could be a decision to replace it in the future with something completely different. This move would require much more radical changes from European businesses and regulators alike.
Meanwhile as the UK is getting to grips with its new position in the field of data jurisdiction, over time, we will no doubt see new governing bodies, policies and regulations -- and we will need to keep up with subsequent changes.
Another challenge that CSOs and security teams face is building a ‘future-ready’ digital infrastructure, one that complies with current laws but is agile enough to be adapted to future laws. The key here is letting customer need dictate choice of technology rather than the law in play.
Take data protection, for example, not having in place the necessary controls to identify, track and anonymize data is a serious matter. Alongside this, data trust is a must have, in spite of being challenging to achieve. According to a recent Talend survey, only just over a third (35 percent) of the respondents always trust the data they work with.
But regulations should not be the only drivers towards data protection. Successful brands respect their customers. They not only control and protect customers' personal data to avoid fines but understand that privacy is critical when delivering a successful customer experience. To transform data regulations into a business driver, businesses need to understand the data being used and ensure that it is accurate. But this isn’t always easy -- the same survey revealed that ensuring data quality remains the biggest issue for 58 percent of UK respondents.
As businesses seek the holy grail of data protection, they will often deploy technologies including cloud and ML-aided automation to gain both a single view of all data sources, databases, and applications while also helping to manage control and consent. These technologies can also support the processing of structured and unstructured data, both historical and real-time, so brands can better predict attacks and respond as they happen.
Just as in 2018, GDPR brought together stakeholders across businesses to ensure compliance, while creating more dynamic, data-driven businesses, in 2021 Brexit offers a similar opportunity. A collaborative, multi-faceted approach will ensure businesses are covered from every angle.
As the regulatory landscape continues to evolve, it is critical that security teams work very closely with policy and legal departments to make the right decisions from a holistic viewpoint.
Security, supply chain, and risk management teams are just a few departments under pressure to understand precisely what all stakeholders with whom they share their data do with it -- because ultimately, they are responsible for the data. Privacy specialists will be key to ensuring that any policies and workflows are compliant.
In my experience, it is not possible to eliminate all threats and keep a business running, nor create the perfect digital infrastructure. Rather, the emphasis should be on being prepared for every eventuality and poised to adapt.
Looking ahead to a post-Brexit era, we need to be prepared on a business, national and regional level, positioning to protect organizations, employees and citizens. Managing complexities effectively will better ready businesses to pinpoint the root cause of a cyber incident or attack when it happens. It is here that speed and agility will continue to be business critical.
Anne Hardy is Chief Information Security Officer at Talend. With over 20 years of technology experience, Anne brings to Talend an extensive background in security technologies and architectures, data privacy standards, and cloud security. She was most recently the chief security officer for Join Digital, which provides managed digital services to enterprises