CEOs fear Brexit will leave firms out of step with GDPR

CEOs are concerned that EU privacy rules will impact their ability to do business after Brexit, according to research by KPMG.

In a survey addressing 100 UK CEOs, 60% believed that their ability to do business will be impaired once Brexit takes place, if British privacy rules are not aligned with the incoming General Data Protection Regulation (GDPR).

Mark Thompson, global privacy advisory lead at KPMG, said: "The worry amongst this cohort of CEOs is understandable. Once GDPR is enforced, it will fundamentally alter the way we live, work and interact with technology, organisations and each other. This revolution will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do."

Ever since the European Commissionconfirmed the new privacy rules in April 2016to increase users' control over their personal data and strengthen data protection policies, many UK CEOs have become concerned that this could negatively impact on their businesses post-Brexit.

Once GDPR is enforced in May 2018,businesses that do not meet these rules will have to either pay sanctions of up to around 16.8 million (20 million), or 4% of their global annual turnover, whichever is higher.

Thompson said: "Whilst the UK is likely to implement the GDPR, Brexit poses some uncertainty on what GDPR will mean to the UK post-Brexit, it is critical to understand that if the UK is going to continue to trade with the EU this free flow of personal information must be maintained. As such we will need to have an 'adequate privacy ecosystem' in operation in the UK which is aligned to the requirements of the GDPR."

In September, the head of information commissioner's office (ICO) Elizabeth Denham toldBBC Radio 4that Britain should adopt the European legislation.

Denham said: "I don't think Brexit should mean Brexit when it comes to standards of data protection. In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent."

Statements made by the UK government suggest the UK will try to adopt GDPR while negotiating its exit from the EU, but that it is likely to draw up equivalent legislation once it is no longer part of the EU.

Thompson said: "The Information Commissioner's Officeremainsadamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit."

In order to prepare for GDPR after Brexit, Thompson suggested that organisations make significant improvements to their privacy control environment, rethinking the way in which they collect, store and use personal data.

Thompson said some immediate steps that companies could take to prepare for GDPR post-Brexit are to bring the implications of GDPR to the board's attention, understand the state of their current data protection rules, and to draw up a plan on bringing them in line with GDPR.