But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.
This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.
Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.
The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?
Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?
I don’t think so somehow.
Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.
And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.
Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”
This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.
However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?
UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!
Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.
Don’t know how, ask.