momius - Fotolia

KPMG cautions CEOs against ignoring GDPR requirements because of Brexit

Professional services giant KPMG says UK businesses cannot afford to ignore incoming European data protection requirements if they want to continue to trade successfully with the continent in future

KPMG is warning CEOs not to stall on preparing their businesses for the arrival of the European General Data Protection Regulation (GDPR), despite the ongoing uncertainty arounf how its contents will apply to them in the wake of the June 2016 Brexit vote.

Mark Thompson, global privacy advisory lead at the professional services firm, said organisations can ill-afford to wait around and see how the government’s post-Brexit data protection plans square with the contents of the GDPR.  

“The requirements being introduced by the GDPR are going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information,” he said.

“These changes are going to be complex and take time. As such, most organisations cannot afford to wait and see what form Brexit takes. Doing so would leave them with insufficient time to prepare.”

How the UK’s vote to leave the European Union (EU) will affect the compliance of UK businesses with the continent’s data protection laws in future has emerged as a recurring topic of conversation among industry watchers in recent months.

As outlined in a recent Computer Weekly article, it remains unclear at this point if UK businesses will be exempted or expected to comply with the GDPR legislation, which will come into force in 2018.

Its introduction is expected to herald a unification of the multitude of data protection rules European countries are expected to adhere to on an individual basis, by introducing a single and identical set of regulations for all 28 EU member states to follow.

Business that fail to comply with the terms of GDPR will face fines of up to €20m or 4% of their global annual turnover (depending on which one is higher).

However, with current estimates suggesting the UK could be on course to leave the EU by 2019, business leaders are seeking clarification about what the government’s data protection legislation plans are beyond this date.

Read more about GDPR

According to a poll of 100 CEOs by KPMG, 60% of respondents fear their ability to do post-Brexit business will suffer unless steps are taken in advance to ensure the UK’s data protection laws align with Europe’s in the future.

“While the UK is likely to implement the GDPR, Brexit poses some uncertainty on what GDPR will mean to the UK post-Brexit, it is critical to understand that, if the UK is going to continue to trade with the EU, this free flow of personal information must be maintained,” said Thompson.

“Statements issued by the UK government suggest that the UK will adopt the GDPR while it negotiates its exit from the EU. What remains to be seen is whether the GDPR is subsequently repealed and replaced with something else.

“The UK privacy regulator, the Information Commissioner’s Office, remains adamant regarding the need for strong, equivalent privacy law in the UK regardless of the outcome of Brexit. It therefore seems likely that a GDPR equivalent privacy framework will be here to stay and organisations should prepare accordingly,” he added.

Read more on Cloud storage