Nearly a quarter of UK businesses have stopped all preparation for incoming European regulation because of Brexit. This haze of confusion was shown off in the results of a survey carried out by Crown Records Management (CRM).
CRM polled 408 IT decision makers working in companies with 100 to 1000 employees in a variety of sectors from legal and retail to banking and pharmaceuticals, and unearthed some eyebrow-raising results in the process. A full 24 percent of firms have prematurely halted preparation for the GDPR, mistakenly believing that European regulators would not come to call in light of Brexit. A further 44 percent, believe that GDPR will not apply to UK firms after Brexit.
It may come as a shock to many that Brexit or not, the UK will be complying with the General Data Protection Regulation (GDPR). The UK government and the Information Commissioner's Office have been very clear on that point, repeatedly reminding UK businesses that they would be expected to meet the requirements of the European regulation.
Businesses will need to comply with the GDPR by May 2018, and the UK is set to leave the European Union by 2019 at least. Even if UK firms weren't expected to comply in light of Brexit, they would still have a full year of compliance before the country actually left the EU.
The cost of delay could be heavy, too. The GDPR brings in a variety of data protection regulations for firms such as the mandatory appointment of data protection officers, pseudonymisation of personal data held by organisations and perhaps most notably, breach notification within 72 hours of such an event. Offenders may find themselves with a fine of up to four percent of worldwide turnover, or €20 million (£17 million), whichever is higher.
Mac Macmillan, data protection expert at Hogan Lovells International LLP pondered to SC Media UK whether these results weren't the answers of smaller businesses “who don't have a lot of time to track these things” and having gotten the news of cumbersome European regulation, followed by news of Brexit, “have just breathed a sigh of relief”. The ICO have been active in promoting GDPR but “there are people who monitor the regulatory world and people who don't.” They, added Macmillan, “are always going to be a problem to reach.”
Four percent of respondents haven't even started to comply with GDPR. That figure doesn't surprise Guy Cohen, strategy and policy lead at Privitar. He told SC, “I think a lot of organisations are slow to respond to GDPR. It's worth bearing in mind that GDPR affects any organisation handling personal data, some of which are very small and cannot dedicate data protection teams to dealing with this.”
But despite these foreboding results, the survey also shows a decidedly sunnier picture for those firms that realise their responsibilities. Nearly 70 percent of respondents, report having already appointed a data protection officer and over half have introduced a staff training programme.
Others see Brexit as a great opportunity to position the UK as a bastion of data protection in its corner of the world. That 50 percent of respondents serves as foil to the 28 percent who believe that the advent of Brexit is likely to result in looser data protection regulation.