One in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation in the misunderstanding that it will not apply after Brexit, new research reveals.

The regulation, which has been years in the pipeline, is designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data.

Noncompliance could result in fines as high as €20 million or up to 4% of global turnover. New rules to ensure privacy must be engrained into data policies, and citizens will have the right to ask for their personal data to be edited or deleted.

>See also: The road to GDPR implementation: challenges and opportunities ahead

It has been ratified by the UK and is due to come into force in May 2018, ten months before Britain completes its exit from Europe.

However, a survey of IT decision makers at UK companies by information management firm Crown Records Management has found 24% are no longer preparing for the regulation. A further 4% have not even begun to prepare.

Alarmingly, a massive 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit.

“For so many businesses to be cancelling preparations is a big concern because this regulation is going to affect them all in one way or another,” said John Culkin, director of information management at Crown Records Management.

“Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.

“When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected.”

UK officials and politicians were heavily involved in the drawing up of the new regulation and Culkin said the general principles behind it are set in stone.

>See also: GDPR: What do you need to know?

“The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered down version,” he added. “This means the best course is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away.”

More positive news out of the survey revealed that seven in ten UK businesses with more than 100 employees have already appointed a data protection officer, one of the requirements of GDPR. Half have introduced staff training, with only 4% not planning to, and 72% have reviewed data protection policies.

“These are important statistics,” said Culkin. “But this is not the time to delay or give up on preparations.”