Report: UK chiefs' concern growing over EU privacy rules post-Brexit

Figures released by KPMG reveal that 60 per cent of UK CEOs are worried about their ability to do business effectively once Brexit is triggered

UK bosses are concerned that their ability to do business will be hampered once Brexit takes place if UK privacy rules are not aligned to the new General Data Protection Regulation (GDPR).

The firm questioned over 100 CEOs in its survey, to find out how they feel Brexit may affect the introduction of GDPR in May 2018.

The UK's involvement in GDPR is up in the air at the moment because Article 50 is yet to be triggered, but the legislation, which was ratified in April 2016 by the European Commission, comes into force in May 2018.

It will mark the biggest change in privacy and data protection regulation in history. If the rules are not met by business, they will face sanctions of up to €20m or four per cent of global annual turnover - whichever is greater - from regulators.

Mark Thompson, global privacy advisory lead at KPMG, said: "The worry among this cohort of CEOs is understandable. Once GDPR is enforced, it will fundamentally alter the way we live, work, and interact with technology, organisations and each other.

"This revolution will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do.

"While the UK is likely to implement the GDPR, Brexit poses some uncertainty on what it will mean to the UK post-Brexit, and it is critical to understand that if the UK is going to continue to trade with the EU then this free flow of personal information must be maintained.

"As such, we will need to have an 'adequate privacy ecosystem' in operation in the UK which is aligned to the requirements of the GDPR.

"Statements issued by the UK government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else.

"The UK privacy regulator, the Information Commissioner's Office, remains adamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit. It therefore seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly."

KPMG's list of what firms should do to prepare for GDPR:

1. Raise awareness at the board level - the board needs to understand the implications of the GDPR and be bought into the need to make enhancements. This should result in the funding being made available to undertake a privacy improvement programme.
2. Understand current state and set desired state - conduct a gap analysis against the GDPR to understand where your organisation is exposed to risk and determine what the risk appetite is.
3. Plan and implement - create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.