EU data rules giving CEOs the fear factor
Britain’s corporate bosses fear EU privacy rules will hurt their ability to do effective business if UK privacy rules are not aligned after the country becomes a non-member, a study says.
In fact, almost 60% of UK CEOs warn their ability to do business post-Brexit faces obstacles if domestic regulations fail to reflect the General Data Protection Regulation, found KPMG.
The accountancy firm says it is “understandable” that UK CEOs are worried, but uncertainty about adopting GDPR -- which surfaced immediately after the EU vote -- is unlikely to be the cause.
Firstly, statements by the UK government suggest that the country will adopt the GDPR, partly because it is widely expected to take effect (May 2018) before Britain exits the EU.
Secondly, the Information Commissioner has spoken of the ‘need to keep personal information flowing’ between EU member states and the UK; a process requiring legal parity.
“The GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent,” commissioner Elizabeth Denham said in her first major speech.
The scale of GDPR is more likely than uncertainty to be behind the concerns that KMPG unearthed among the corporates.
“[It] is the biggest and most impactful change in privacy and data protection regulation in history,” believes the firm’s global privacy advisory lead Mark Thompson.
“When it will be enforced, it will affect organisations in the UK and worldwide that have any dealings with consumers and businesses in EU member countries.”
Issuing three ‘quick-steps’ that worried CEOs should be taking to prepare for GDPR -- IT contractors have been issued with their own recommended actions -- KPMG outlined:
1. Raise awareness at the board level
The board needs to understand the implications of the GDPR and be bought into the need to make enhancements. This should result in the funding being made available to undertake a privacy improvement programme.
2. Understand current state and set desired state
Conduct a gap analysis against the GDPR to understand where the organisation is exposed to risk and determine what the risk appetite is.
3. Plan and implement
Create a detailed plan to enable the desired risk appetite to be reached and undertake a privacy improvement programme to deliver against this plan.