Speaking on BBC Radio 4's PM programme, Elizabeth Denham, the UK's information commissioner, urged UK companies to fully prepare for the EU General Data Protection Regulation (GDPR), as the law comes in after the UK's planned Brexit date.
Denham said: "I don't think Brexit should mean Brexit when it comes to standards of data protection."
She continued: "The UK is going to want to continue to do business with Europe. In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent. The UK was very involved in the drafting of the regulation — it will likely be in effect before the UK leaves the European Union — so I'm concerned about a start and stop regulatory environment."
Denham went on to express concerns over the recent Yahoo! data leak which saw the details of 500 million user accounts stolen, including eight million of those which belong to UK citizens.
"This data breach is unprecedented. The numbers are staggering. Why did it take so long for Yahoo! to notify the public of the breach? It looks like it happened two years ago. What can these account holders do to protect themselves?" Denham said, "I'm asking those questions on behalf of UK citizens."
Denham concluded with promises of investigating WhatsApp's plan to share user data with Facebook. She said: "We have launched an investigation into the data sharing, remembering that in 2014 when Facebook bought WhatsApp, there was a commitment made that between the two companies they would not share information."
Michael Hack, senior vice president of EMEA Operations at Ipswitch has been vocal about the need for preparation, technology implementation and training. He told SCMagazineUK.com: “Information Commissioner, Elizabeth Denham, has been incredibly clear - Brexit doesn't mean Brexit when it comes to data protection. This news will come as a welcome relief for our nation of data sharers as a whole. Especially given the recent increase in high profile, big business hacks like Yahoo. However, it is also likely to put the frighteners on any business that has been dragging its heels in preparing for GDPR, confused that Brexit could mean the UK would not need to comply.”
Hack continued: “Businesses now need to introduce a risk management exercise that identifies the key processes and assets, and evaluates their vulnerabilities and potential threats. The results will then highlight priorities for the next stage of the process towards compliance. The exercise should cover all areas of the business and should also consider technologies and strategies to mitigate the risks identified. Companies that handle large amounts of data will need to hire or redeploy and train a dedicated resource to be a data protection officer with the sole purpose of keeping data safe. A serious data breach will need to be reported to regulators within 72 hours or face penalties of up to four percent of global turnover."