UK CEOs are concerned that EU privacy rules will impact their ability to do effective business if UK privacy rules are not aligned once Brexit takes place, according to research by KPMG.
In a survey of 100 UK CEOs, KPMG found that nearly 60 percent believe their ability to do business will be hindered once Brexit takes place if UK privacy rules are not aligned to the new General Data Protection Regulation (GDPR).
The GDPR has been at the forefront of minds of many CEOs since the European Commission officially ratified the privacy rules in April 2016. This new legislation is the biggest and most impactful change in privacy and data protection regulation in history. In May 2018, when it will be enforced, it will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member countries. If the rules are not met by business, they will face significant sanctions of up to €20M or 4% of global annual turnover – whichever is higher, from regulators.
Mark Thompson, Global Privacy Advisory lead at KPMG said: “The worry amongst this cohort of CEOs is understandable. Once GDPR is enforced in May 2018, it will fundamentally alter the way we live, work and interact with technology, organisations and each other. This revolution will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do.
“Whilst the UK is likely to implement the GDPR, Brexit poses some uncertainty on what GDPR will mean to the UK post-Brexit, it is critical to understand that if the UK is going to continue to trade with the EU this free flow of personal information must be maintained. As such we will need to have an ‘adequate privacy ecosystem’ in operation in the UK which is aligned to the requirements of the GDPR.
“Statements issued by the UK Government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else.
“The UK privacy regulator, the Information Commissioner’s Office, remains adamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit. It therefore seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly.”
What should organisations do?
Commenting on what organisations should do, Thompson said: “The requirements being introduced by the GDPR are going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information. These changes are going to be complex and take time, as such, most organisations cannot afford to wait and see what form Brexit takes. Doing so would leave them with insufficient time to prepare.
"There are some immediate steps organisations should take to prepare themselves. These are:
For media enquiries, please contact:
Nahidur Rahman, Senior PR Manager
T: +44 (0) 20 7694 8812
M: + 44 (0) 788191 6975
Follow us on twitter: @kpmguk
KPMG Press Office: +44 (0)207 694 8773
Notes to Editors:
KPMG LLP, a UK limited liability partnership, operates from 22 offices across the UK with approximately 12,000 partners and staff. The UK firm recorded a revenue of £1.96 billion in the year ended September 2015. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 174,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.