Brexit Won’t Exempt UK From EU Data Regulations

Britain may be eager to extricate itself from the European Union and forge ahead on its own, but as it happens, a stage left Brexit will not exempt firms in the UK from adherence to the impending data security reform, set to take effect across the continent in two years.  Yes, in 2018, the General Data Protection Regulation will begin to apply new rules and standards for all businesses relative to their European interests.  This means that all companies offering services in the EU, or processing the personal data of EU residents—also known as ‘natural persons’—will be subject to the new GDPR policies, no matter where in the world they happen to be located.

To that effect, “Britain leaving the European Union is not likely to change GDPR requirements for UK firms that do business in the EU,” says David Berman at CipherCloud, also adding that the UK “will need to create or revise many laws as they separate from the EU.”

Along with an expanded definition of what exactly constitutes personal data (“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”)—along with all of this, to me this signals serious intent with regards to data protection.  And though 2018 seems far away, organizations should start planning ahead now, in order to make the transition as seamless as possible.  Assessing the privacy impact of a new vendor or new product on one’s compliance is one such important consideration, according to Deema Freij, global data privacy officer at enterprise software maker Intralinks Inc.

Across the pond, data protection remains an equally critical area.  While Europe gradually prepares for the GDPR shift, the US saw June become the worst month for information security so far this year, particularly in healthcare.  Patient records have been in no short supply for cyber criminals, since over 11 million of them were stolen last month in at least 23 incidents.  Moreover, the trends surged astronomically in May, when data from the US Department of Health and Human Services showed almost 700,000 total reported breaches, compared to 137 in first half of 2016.  It seems unbelievable.

For the June breaches, meanwhile, the causes were divided fairly evenly, according to Protenus and Databreaches.net, between hackers and insider threats.   The latter remains a major and insidious factor in security incidents.  Brian Contos, over at CSOOnline, advocates being proactive, and employing specific technologies and analytics to nip such threats in the bud: from technologies that monitor user behavior, establishing baselines for normalcy and then detecting any anomalies that arise, to methods of restricting access, of increased segmentation and providing authorization on a more limited basis—such practices are aimed at mitigating data loss thanks to a disgruntled or unaware employee.

With the state of people’s personal data around the world today, I’d say companies could use all the help they can get, and take any such steps that are likely to reduce their risk of a data breach.