Even though the UK's upcoming Data Protection law will be similar to and as potent as the European GDPR, experts believe that a lot of work needs to be done to ensure the UK will continue to enjoy similar benefits and protections post-Brexit as hitherto.
The UK's ability to defend against cyber attacks in the future and to strengthen data security will be reliant on how it will cooperate with European agencies and data security authorities post-Brexit, academic group The UK In A Changing Europe has warned.
In a paper titled 'A Successful Brexit: Three Foreign and Security Policy Tests', the group said that Brexit will be deemed to have a positive impact on security if it allows the UK to continue to shape European cyber security standards while gaining more room for manoeuvre in its own practices.
If the UK ends up losing full membership of Europol, the European Arrest Warrant System and other intelligence sharing arrangements, it would significantly reduce its ability to defend against trans-border terrorism, organised crime, and cyber attacks.
At the moment, aside from bringing in a new data protection law that is similar to GDPR, the UK government is also examining what steps need to be taken to comply with the EU's Network and Information Security Directive which will be implemented later this year. The NIS Directive will only cover the loss of service as a result of cyber attacks instead of loss of data and will be part of the government's £1.9 billion National Cyber Security Strategy.
With the help of the new directive, the government aims to ensure that essential services like electricity, water supply, and health services that have a direct impact on people's lives are secured against cyber attacks seeking to disrupt their operations.
"The ability of the UK to counter cyber security threats is partly dependent on regular data exchange between UK authorities and private companies, including those based in the EU. These exchanges may be put at risk if the EU does not regard the UK as a safe recipient of sensitive personal data.
"The more the UK continues to be committed to EU cyber standards, the less significant will be the impact of Brexit in this area. If the UK diverges significantly in
cyber security practice, it will be possible to weigh any security benefits derived from this increase in national control against the costs – in terms of both security and market access – of lost influence in the EU," the group added.
It also recollected how former prime minister David Cameron argued against Brexit, stating that it would 'jeopardise essential European cooperation against terrorism and international crime and ‘divide the West’ at a dangerous moment'. Other former ministers had also argued that Brexit would limit the UK’s ability to deal with pressing security threats, from terrorism to a resurgent Russia.
However, if Britain continues to maintain cooperative security relations with EU member states post Brexit, it will 'continue to enhance its security in areas where it will gain greater control while fashioning improved security arrangements with the EU, its member states and others' it said.
With the UK's critical national infrastructure facilities at risk of facing a large number of cyber-attacks in the near future, maintaining cordial security cooperation with the EU will ensure Britain will be able to effectively repond to such threats. As such, the government's efforts towards implementing the EU’s Security of Network Information Systems (NIS) in the UK will go a long way in emsuring the security of critical infrastructure firms.
According to the government, the new law would incentivise operators who take adequate measures to deter cyber attacks, assess security risks effectively and engage with competent authorities. Penalties against such operators for suffering cyber attacks despite taking such measures would be a last resort.