Brexit and EU privacy rules

According to new research, UK CEOs are concerned that EU privacy rules will impact their ability to do effective business if UK privacy rules are not aligned once Brexit takes place.

In a survey of 100 UK CEOs, KPMG found that nearly 60% believe their ability to do business will be hindered once Brexit takes place if UK privacy rules are not aligned to the new General Data Protection Regulation (GDPR).

The most impactful change in privacy and data protection regulation in history

The GDPR has been at the forefront of minds of many CEOs since the European Commission officially ratified the privacy rules in April 2016. This new legislation is the biggest and most impactful change in privacy and data protection regulation in history. In May 2018, when it will be enforced, it will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member countries. If the rules are not met by business, they will face significant sanctions of up to €20 million or 4% of global annual turnover – whichever is higher, from regulators.

“Whilst the UK is likely to implement the GDPR, Brexit poses some uncertainty on what GDPR will mean to the UK post-Brexit, it is critical to understand that if the UK is going to continue to trade with the EU this free flow of personal information must be maintained. As such we will need to have an ‘adequate privacy ecosystem’ in operation in the UK which is aligned to the requirements of the GDPR. Statements issued by the UK Government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else,” Mark Thompson, Global Privacy Advisory lead at KPMG commented.

The UK privacy regulator, the Information Commissioner’s Office, remains adamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit. It therefore seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly.

What should UK organisations do?

Commenting on what organisations should do, Thompson said: “The requirements being introduced by the GDPR are going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information. These changes are going to be complex and take time, as such, most organisations cannot afford to wait and see what form Brexit takes. Doing so would leave them with insufficient time to prepare.

There are some immediate steps organisations should take to prepare themselves. These are:

1.Raise awareness at the board level – the board needs to understand the implications of the GDPR and be bought into the need to make enhancements. This should result in the funding being made available to undertake a privacy improvement programme.

2. Understand current state and set desired state – conduct a gap analysis against the GDPR to understand where your organisation is exposed to risk and determine what the risk appetite is.

3. Plan and implement – create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy Improvement programme to deliver against this plan.


Edited from press release by Cecilia Rehn.