The EU has its General Data Protection Regulation — GDPR — while the UK has its Data Protection Act 2018. The latter is designed to complement the former, but there are differences, and in the uncertainty of Brexit we can’t be sure that the UK will be granted adequacy. In short, Brexit may impact the flow of data.
According to Mus Huseyin of nsKnox, it’s about risk. It is in everyone’s interest, both EU and UK, to come to an agreement regarding data protection, but the Brexit track record does suggest that mutual interests will necessarily triumph. Huseyin likened the problem to supertankers changing direction. “Even if everyone was agreed on the level of adequacy checks and meeting the EU regulator’s demands, you would anticipate it’s still going to take a number of months, at best; at worst, a couple of years.”
“I don’t think anyone can definitively say that they will comply with GDPR by virtue of complying with the 2018 Act,” he warned. “There are subtle differences in the industry regulations but they are nonetheless important.”
The GDPR and Brexit
He gave as an example of these differences, identifiers that are used in personal data, the differences may seem superficial but they are there, and if we have learned one thing from Brexit, it is that subtle differences can be as hard to cross as the most challenging terrain.
“Do you know with absolute certainty, when the government themselves don’t know with absolute certainty, what will happen?”He asks.
There is a precedent. Soon after the GDPR was introduced, the EU did not immediately confirm an adequacy agreement with the Canadian state of Quebec, despite Canada often being a pioneer in the field of privacy.
GDPR anniversary: has the regulation backfired? What next?
“I think there’s a danger that post Brexit there will be a period of further transition.Now please, let that be very quick and happen in the best case scenario before Brexit occurs.
“In the event that it doesn’t, there would be a period of uncertainty and that’s typically what criminals tend to exploit. They have an advantage over leveraging uncertainty with social engineering or other attacks, or to engineer people and organisations into making mistakes that they’d otherwise not make.
“There is also a risk that companies may take an ultra-conservative position, they might choose to restrict the flow of data between two organisations, either as the originator of the data or as the receiver of the data.“
So what’s the solution?
Huseyin proposes two steps. First: “I would get as close to the regulator as possible, getting involved in the discussions understanding your obligations and to try and get exceptions where you can if there is any uncertainty about the data regulations. There are thousands and thousands of lines of law that will apply to any particular regulator or regulations. Often, if you’re having an open dialogue and transparent dialogue with a regulator about your problem and about your concerns, you may find that they actually issue a form of dispensation or some guidance in the interim, whilst the clarity is lacking.”
GDPR — How does it impact AI?
Second: Huseyin advocates technology. It may not come as a shock to learn he advocated a product from nsKnox.
He refers to Cooperative Cyber Security which allows data to be shared across organisations and networks in a way that is completely cryptographic and shredded.
“If you can take information with identifiers and put it into a form which is actually meaningless and shred it cryptographically and then distribute it to the partners of the data consortium who want to be able to access that information, you’re now pushing data around the world potentially without ever exposing the actual underlying information.
“So for example, we could take your name and we can shred it and we can distribute it to let’s say two banks in Europe and two banks in the UK. Each of those banks holds a piece of information and collectively that information makes up your name, but individually those pieces of information are just bits of encrypted binary data. So totally meaningless.“
So that’s two potential solutions, get close to the regulator and apply appropriate technology.
What we can say is that Brexit will impose uncertainty on UK businesses. Preparation won’t solve the problem, but it will help.