Brexit and SMEs: Dealing with Cyber Security and Data Protection
22nd March 2019
Whether the effects of Brexit on your small business fill you with optimism or dread, they should not be ignored. The current uncertain times mean that SMEs will not be immune from at least the short term challenges presented by Brexit. Where your information and communications technology is concerned (ICT), this means thinking seriously about how your firm complies with data protection laws and also about the increasing threat of cybersecurity.
SMEs and Brexit
Britain is one of the best places to start a business – that’s according to the World Bank’s 2017 Doing Business report. One of its best features is its low corporate tax rate amongst G20 countries and the relatively few number of procedures to set up a business. So far so good. Whether and how this changes in light of Brexit remains to be seen. What we do know is that SMEs tend to be pretty upbeat and pragmatic. We like to celebrate the extraordinary resilience of our small businesses. That’s why we know SMEs will want to consider their ICT post-Brexit.
How Brexit could impact your ICT
Small businesses which deal with overseas firms or customers, whether for supplies or sales, imports or exports, will be busy with working out potential Brexit changes to procedures, staffing, paperwork and any new tariffs. However, SME business-owners and managers should consider their ICT systems too.
More than a quarter of SMEs have spent £2k on Brexit preparations while, in the event of a no-deal Brexit 35% of SMEs say they would postpone major decisions and about 20% say they would cut staff or expenditure – according to research by the Federation of Small Businesses.
It’s clear that Brexit uncertainty is impacting on many small businesses. However others take the view that Brexit can be good for small companies because it will give smaller firms a chance against larger and more corporate firms whose voices have been the loudest in the Brexit debates. While it’s always best to remain flexible there are some areas on which businesses should not compromise.
Most SMEs will rely on their IT in some way, shape or form – from emails, to databases, to electronic invoicing and e-commerce. It’s vital to continue to protect this important enabling part of your operation and also have adequate data protection procedures.
After Brexit, two ICT-related issues will be vital:
1. Brexit and Data Protection
On data flow between the UK and the future EU27, there’s been an emphasis on maintaining the free flow of personal data between the EU and the UK in the political declaration on the future relationship; even though it’s uncertain whether that declaration will survive in its current form, the data elements are relatively uncontentious and are likely to remain.
Remember all the fuss last year about getting ready for GDPR? You’ll remember that the General Data Protection Regulation which came into effect in May 2018 applies to all EU businesses. It is aimed at protecting the online data of all EU citizens. As such it touches many parts of any businesses operations, from marketing, to sales, to IT and record-keeping.
Will the GDPR still apply to UK businesses after it leaves the EU? The answer is yes, in effect. There will be no get-out-of-jail-free card in this one after Brexit. There will continue to be potentially significant penalties for firms who are found to be in breach of the GDPR.
On Brexit day, the UK will adopt the EU’s GDPR into the UK’s legislation in conjunction with the Data Protection Act 2018 (the DPA), resulting in a UK GDPR. If the UK leaves the EU without a deal, where the transfer of data is concerned, the UK will immediately be regarded by the EU as a ‘third country’ (ie. a country outside of the EEA) under the EU GDPR. Third countries need to satisfy the EU’s adequacy measures for any exchanges of data with the EU27. If the UK leaves the EU on 29 March or soon after, it will not yet be on the list of ‘adequate’ third countries – that may take a couple of years so firms may need to include additional legal notices or privacy notices when trading into the EU.
2. Brexit and cybersecurity
Cybersecurity may not be high on your agenda when thinking about Brexit but there are fears that cyber criminals are set to take advantage of SMEs who are distracted by Brexit challenges. Criminals thrive when stability and certainty are under threat. In a no-deal Brexit scenario there are questions about the UK’s continued membership of EU organisations such as Europol and its subsidiary, the European Cybercrime Centre.
Cybercrime continues to pose challenges to business. Whether it’s ransomware, data theft or phishing attacks, 2018 saw increases in attacks on businesses as cyber criminals increase their digital capabilities . If you’re an SME, there’s a 1 in 2 chance you’ll experience a cyber security breach; if you’re a micro business, this could result in losses of around £1,400, according to the National Cyber Security Centre.
Brexit or otherwise, SMEs need better cyber security, not only to protect their data and privacy but their profits and reputation. Without the resources of larger firms, smaller business may become the target of cybercrime due to their potential security vulnerabilities. Cybercrime can damage networks and systems and cost huge amounts to put right – it’s always wiser to have preventative measures.
On the Brexit-front, it is reassuring that the head of the UK’s National Cyber Security Centre has suggested that Brexit will have little impact on UK-EU cybersecurity cooperation due to their close relationship.
It is also good news is that SMEs can take their own steps to minimise disruption.
What should SMEs do about Brexit and Cybersecurity?
● Learn how to make good information security choices, protecting your online data and networks. The UK has being developing better approaches to cyber security in recent years. Follow the Government’s Cyber Essentials , an industry-backed standard which protects your business against cyber threats.
● Revisit GDPR practices and ensure you are compliant. Even if you have no branches in the EU, the EU GDPR can still apply if you are targeting EU customers or trading with firms there. In the event of a no-deal Brexit, firms may need to consider adopting additional legal clauses in contracts with EU firms. The Informational Commissioner’s Office website can help with information about data flows.
● Get advice and support from a professional ICT firm which can check if you’re on the right track. When it comes to cybersecurity and legal compliance it’s best not to take chances.
While there’s little room for complacency, Brexit, in whichever form it eventually occurs, need not disrupt the ICT of small businesses as long as they give attention to ensuring they are compliant and safe.
At 360ict we have a long record of helping SMEs to stay safe on line and to protect their data. We offer SMEs an on-site review of data security as well as advice and support for a variety of ICT requirements.
To arrange your on-site review or talk to our IT support team about your options, call 0208 663 4000 today or Contact Us .