Brexit and Data Protection

UK And EU Flag On Computer Keyboard

The cabinet has today announced that it is ramping up preparations for a no-deal Brexit.  This includes advising businesses to activate their own no-deal contingency plans.  However, the political landscape remains very unclear and it would seem that the only certain thing about Brexit is uncertainty.  What does Brexit mean for data protection? What about the work that companies have put into GDPR compliance in 2018?

Data in the UK

Data protection legislation in the UK is currently a combination of the EU General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 (DPA).  The UK Act parallels the GDPR and will remain in place regardless of what happens with Brexit.  The government plans to bring all applicable parts of GDPR into UK law as part of Brexit.  Therefore, investment in GDPR compliance is not wasted.  The same framework will underpin UK data protection law for the foreseeable future.

In short, for data that you collect and keep in the UK, Brexit brings no significant change. 

Data outside of Europe

Similarly, regulations for data flows outside the European Economic Area (EEA) are likely to remain much the same. The Information Commissioner expects that the UK government will replicate the existing EU adequacy and standard contract clause arrangements.

Almost all small businesses in the UK rely to some extent on the big four cloud companies: Amazon, Apple, Google and Microsoft.  Even if it is just to sync contacts or email on a mobile phone.  These are American companies  and so the status of the US Privacy Shield arrangements could have a huge impact.  At present, there is no UK equivalent of Privacy Shield but the UK government “intends to make arrangements”.  Unsurprisingly, the big four are not content to wait for these arrangements nor to risk their UK business.  This is why, for example, Google is changing its terms of service next month so that your contract is with Google Ireland Ltd, not the USA-based corporation.

Tilst the UK still has a lot to do to ensure that current non-EEA arrangements are replicated in the UK.  It is reasonable to assume, though,  that any transition period will be afforded grace by the UK authorities. So business as usual is a reasonable plan

Data transfers with Europe

The UK government has stated that it will not restrict transfers of data to the EEA.  You can therefore continue to share data with service-providers based in other EU/EEA countries on the same terms as you do now.

However, the picture for European companies wishing to share data with you is much less clear.  The UK will seek approval as an “adequate” country by the EU but this process takes time. (Japan and South Korea began the process more than two years ago).  Without an adequacy decision, EU companies will need to put binding agreements in place before they can share data with you.  These will either be in the form of standard contract clauses (SCC) or binding corporate rules (BCR).  SCCs apply where the organisations sharing data are separate entities. BCRs apply where the organisations are part of a group.

If you are in the position of receiving personal data from an EU organisation, then it would be wise to negotiate an appropriate binding agreement now so that it can be already in force before the 29th March.  If your organisation requires BCRs, then these need to be approved by the ICO.  You should work on the assumption that the approval process will not be complete by 29th March. So you will need contingency plans in place for continuing to trade without importing this data to the UK.

There is detailed information on international data transfers on the ICO website.  For specific advice tailored to your organisation, contact Tom Crellin Consultant.

Prosecutions highlight personal liability for data protection

In February, the Information Commissioner’s Office prosecuted two people for unlawfully obtaining personal data from their work.


These cases highlight that data protection is a matter all employees need to understand and treat seriously.  The people involved not only received a criminal conviction and fines, they also lost their jobs.

Car Repairs

In Manchester, Philip Bagnall pleaded guilty to having taken customer details from an accident repair company and passed it on in a pub deal for £1000 to another company.  The third party then contacted the customers asking if they wanted to pursue claims about their accidents.

School Meals

Then, in Westminster, Samira Bouzkraoui admitted three offences after having taken a picture of data about children’s eligibility for school meals.  Then she shared it via Snapchat with the estranged parent of one of the pupils.  In doing so, she disclosed the information of 37 pupils and their parents.

As business owners, we have a duty of care towards our employees.  Yes, these cases are matters that should be obviously wrong to any employee.  We still need to ensure that we have been clear about what is and is not an acceptable practice.  Acceptable use policies in the company staff handbook are all very well.  It is also important to back this up with awareness training and a corporate culture that encourages good practice.

Cyber Threat Report released by NCSC and NCA

The national Cyber Security Centre and National Crime Agency have today released their joint report on the cyber threat to UK business.  The headlines are certainly powerful and could give any business leader sleepless nights:

  • The cyber threat to UK business is significant and growing.
  • This threat is varied and adaptable.
  • The rise of internet connected devices gives attackers more opportunity.
  • The past year has been punctuated by cyber attacks on a scale and boldness not seen before.Illustration of emerging technology

Further, the report points out that the opportunities for attackers are increasing and the technical skills required to carry out an attack are decreasing, which means that the number of people capable of launching an attack is increasing.  However, the good news is that it is possible to defend against all but the most determined and technically capable attackers.  Basic “cyber hygiene can thwart the vast majority of threats.

The threat

  • Malware and services are traded on the dark web; enabling unskilled people to launch attacks
  • Cyber extortion (ransomware, DDoS etc) has increased and is targeting specific businesses for increased reward
  • “Internet of Things” botnets are growing – to the extent that government intervention and product recalls are becoming necessary.
  • Financial exploits have become more targeted and less visible
  • The threat to mobile devices (smartphones) is low but growing.
  • Social media is a significant attack vector, exploiting the trust and familiarity associated with these sites.
  • Large scale data breeches continue to hit the headlines.

How can we deal with these threats?

As I said above, simple, basic, measures will prevent the vast majority of attacks.  The Cyber Essentials steps (boundary control, secure configuration, access control, malware protection and patch management) are still an effective starting point.  Key decision makers should engage with the risk assessment and mitigation process.  This is true for cyber risks just as it is true for any other risk.  Cyber threats affect the whole business, not just the IT department, and so you need a whole-business approach to dealing with them.

Similarly, awareness-raising, information-sharing and incident reporting are vital safeguards.  Your customer-facing staff are far more likely to receive and respond to messages from an unknown and un-trusted origin than your IT security team.  Do they know how to recognise a suspicious request and how to deal with it?

Of course, we are happy to help you with your cyber security management and with awareness training.  Simply contact us for a free initial consultation.

Using Weather Warnings in Business

Unplanned events, by their nature, often occur with little or no warning.  Weather is one of the notable exceptions.  The Met Office issues warnings, free of charge and up to five days in advance.  But, the warnings come in almost every week in the winter months.  So, how can you ensure that your business response is proportionate?  The answer lies in decoding the information that the Met Office provides.

Getting Weather Warnings

The Met Office posts weather warning on their website and circulates them to the media.  You will hear these as the red, amber and yellow warnings in TV and radio bulletins.  You can also have the warnings sent to you via email or as a notification on your mobile device via the weather app.  TV and radio warnings usually give only the basic information.  The full warning has much more detail.  As a subscriber to the email or application notifications, you will get the full detail and notifications whenever it is updated.

Is this for me?

First, look at the specific area covered.  The regions that you can subscribe to are vast and can easily have different weather conditions from one side to the other.  The Met Office provides both a map and a list of local authority areas covered.   This allows you to quickly filter out those warnings the do not apply where you are.

The report itself consists of three sections: the warning, the chief forecaster’s assessment and the weather impact matrix.  It is easy to overlook this matrix but it actually provides the critical information at a glance.

Enter the MatrixA weather impact matrix

The matrix displays the impact and likelihood of the adverse weather in a format that will be immediately familiar to business people used to evaluating risk.  This means that you can use this information directly;  apply it to your own business risk appetite; and decide whether you need to act to mitigate the risk and likely impact.

The Met Office has very detailed explanations of what the impact statements are for each level.  You can find that detail here.  This means that you can actually plan in advance which weather types are likely to affect your business and what each impact level on the warning is likely to mean for you.

How big is the impact?

How can the weather affect your business?  Clearly, every business will answer this question differently.  Some of the general impacts to think about are:

  • Ease of travel – can staff get to work (and back home afterwards)? Is it prudent to postpone non-essential meetings or move to remote working? What about deliveries?
  • Health and safety of those working outside.
  • Disruption to utilities and communications
  • Damage to premises and/or assets stored outside.

All of these items are covered by the impact statements.  For instance, a low impact event may include localised power disruptions but a high impact event says that widespread and prolonged power outages are expected.

Is it worth it?

When all is said and done, we do expect to get adverse weather in this country, especially in winter.  Much of our plan for dealing with the weather should be business as usual.  Yes, we don’t need to take action for the majority of weather warnings.  We already know we can cope with the weather.  An informed glance at the impact matrix is how to quickly identify the warnings that you do need to sit up and take notice of.

New Year Fitness

2017 is just around the corner.  Every January, fitness clubs get a surge of new members as people decide to improve their health in their new year’s resolutions.  Do your resolutions include taking a critical look at the health and fitness of your business?

Planning for Fitness

There is no doubt that these are difficult and uncertain times for business.  Companies who are fit, healthy and agile often do well in such times.  History tells us that planning for uncertainty and looking beyond the immediate problems are the keys to thriving.  According to the Cabinet Office: “Whether the business recovers [from a serious incident] or not and whether it is still operating 12 months later depends on what advance planning has taken place.  This means action before and not after disaster strikes.”

Having a clear plan means that all key staff know their roles and the tasks that need to be achieved.  It also helps to avoid missing or overlooking important matters in the heat of the moment.  Most importantly, it sets the company on the road to recovery much quicker than a trial-and-error method of incident response.

Exercising the Plan

No battle plan survives first contact with the enemy.  The only way of knowing whether your plan will actually work is to test it.  You do not necessarily need to simulate a full-scale emergency in order to check your plan’s fitness.  Often, talking through a scenario around a table is enough to reveal hidden flaws and highlight missing elements.

Your Fitness Check

A great way to start your plan is to have a fitness check from Tom Crellin, Consultant.  We will look at where you are now and where your main pain-points are.  Using this information, we will develop a personalised action plan to take you through the next steps.  We start by gathering information about your company and how it operates.  Next, we sit down with you and discuss what you view as important to your business and how you tackle problems today.  We have designed the process to be quick and painless for you and to accelerate your own planning process by giving you a clear set of goals and action plan.

So that you get a flying start on your 2017 business resolutions, we have decided to offer the Fitness Check at the discounted price of £850 for the month of January (normal price £995). Contact us now for more information.