Poll shows Brexit has left UK businesses confused about future of EU General Data Protection Regulation

As the wheels continue to turn on the UK’s exit from Europe, there are worrying signs that Brexit has left businesses unsure about how to prepare for the EU General Data Protection Regulation.

The legislation, which has been years in the pipeline, is designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data.

It has been ratified by the UK and is due to come into force in May 2018 – almost certainly before Britain completes its exit from Europe, despite the recent triggering of Article 50.

But all the signs are that businesses across the country are delaying, postponing or even cancelling preparations in a mistaken belief that the regulation may not apply once Britain has finally left Europe.

At Crown Records Management we commissioned a survey to poll IT decision makers at UK companies with more than 100 employees, looking at attitudes to the forthcoming regulation.

It produced some very uncomfortable results and showed for example that:

  • 24 per cent of firms have cancelled all preparation for the regulation.
  • A further 4% have not even begun preparation.
  • 44 per cent think the regulation will not apply to UK business after Brexit.

Some of those figures should come as a shock to British business – and perhaps act as a wake-up call that something here is not right.

For so many businesses to be cancelling preparations is a concern because this regulation is going to affect them all in one way or another.

Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.

When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected.

It is important to understand first of all that the underlying principles of the EU General Data Protection Regulation have not been questioned by the UK – in fact UK officials and politicians were heavily involved in the drawing up of the new regulation and we already have some of the most robust data regulation in the world here already.

The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered down version.

In fact our survey revealed that at least half of companies saw Brexit as an opportunity for Britain to position itself as the safest place to do business through even more robust legislation.

This means the best course for every business is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away.

There was some good news from the Crown Records Management Survey, however. It also revealed that:

  • 70 per cent of businesses with more than 100 employees have already appointed a data protection officer, one of the requirements of the EGDPR.
  • Half have introduced staff training and only 4% do not plan to.
  • 72 per cent have reviewed data protection policies.
  • 44 per cent have undertaken an information audit.

These are important statistics, particularly when it comes to staff training because a vast majority of data breaches are down to human error. But the overall picture is that many businesses are holding back on preparations for the EU General Data Protection Regulation – and that needs to be addressed.

By John Culkin, Director of Information Management, Crown Records Management. Mr Culkin will be speaking at the GDPR Conference Europe.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.