UK CEOs worry over EU privacy rules after Brexit

Bill Boyle
Published on:

UK CEOs are concerned that EU privacy rules will affect their ability to do business if UK and EU laws are not aligned post Brexit

In a new survey of 100 UK CEOs, KPMG has found that nearly 60% believe their ability to do business will be hindered once Brexit takes place if UK privacy rules are not aligned to the new General Data Protection Regulation (GDPR).

The GDPR has been at the forefront of minds of many CEOs since the European Commission officially ratified the privacy rules in April 2016. This new legislation is the most important change in privacy and data protection regulation in history. In May 2018, when it will be enforced, it will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member countries. If the rules are not met by businesses, they will face significant sanctions of up to €20M or 4% of global annual turnover – whichever is higher, from regulators.

Mark Thompson, global privacy advisory lead at KPMG said: “The worry amongst this sample  of UK CEOs is understandable. Once GDPR is enforced in May 2018, it will fundamentally alter the way we live, work and interact with technology, organisations and each other. This revolution will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do.

“While the UK is likely to implement the GDPR, Brexit poses some uncertainty on what GDPR will mean to the UK post-Brexit, it is critical to understand that if the UK is going to continue to trade with the EU this free flow of personal information must be maintained. As such we will need to have an ‘adequate privacy ecosystem’ in operation in the UK which is aligned to the requirements of the GDPR.

“Statements issued by the UK Government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else.

“The UK privacy regulator, the Information Commissioner’s Office, remains[1] adamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit. It, therefore, seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly.”

Thompson said: “The requirements being introduced by the GDPR are going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information. These changes are going to be complex and take time, as such, most organisations cannot afford to wait and see what form Brexit takes. Doing so would leave them with insufficient time to prepare.”