Almost a quarter of UK firms have cancelled all preparation for the EU General Data Protection Regulation (GDPR), misunderstanding that it will not apply after Brexit.

The regulation, which has been years in the pipeline, is designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data.

It has been ratified by the UK and is due to come into force in May 2018 – almost certainly before Britain completes its exit from Europe, despite triggering Article 50 this week.

However, a survey of IT decision makers at UK companies by information management experts Crown Records Management has revealed some shocking results.

Twenty-four per cent have cancelled all preparations, in total, with a further 4% saying that have not even begun preparation. Nearly half (44%) believe GDPR will not apply to British businesses after the UK officially leaves the EU.

John Culkin, director of information management at Crown Records Management, believes the results are alarming. He said: “For so many businesses to be cancelling preparations is a big concern because this regulation is going to affect them all in one way or another.

“Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.

“When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected.”

UK officials and politicians were heavily involved in the drawing up of the new regulation and Culkin believes the general principles behind it are set in stone.

“The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered down version,” he said.

“Our survey revealed that at least half of companies saw Brexit as an opportunity for Britain to position itself as the safest place to do business through even more robust legislation.

“This means the best course is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away.”

There was some good news from the survey, however.

Seventy per cent of businesses with more than 100 employees have already appointed a data protection officer, one of the requirements of the GDPR. Half have introduced staff training and only 4% do not plan to. Nearly three-quarters (72%) have reviewed data protection policies, and 44% have undertaken an information audit.

“These are important statistics,” said Culkin. “But this is not the time to delay or give up on preparations.”

The EU GDPR will bring in massive fines for data breaches - as high as 20million Euros or up to 4% of global turnover - as well as new rules to ensure privacy is designed into data policies, plus new rights for citizens to ask for their personal data to be edited or deleted.


By Jonathan Davies, editor, Digital Marketing Magazine


The GDPR Summit Series has been specifically designed for business generalists rather than data protection or privacy specialists and will provide delegates with a comprehensive picture of the new regulations and a practical understanding of the implications and legal requirements needed for compliance.

Further information and conference details are available at 

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus