When, with great fanfare, the European Commission released its draft General Data Protection Regulation (GDPR) in January 2012, it underpinned its proposals with the justification that they would lead to administrative savings of €2.3billion per year across Member States. The UK government's Impact Assessment was rather less optimistic, claiming the EC had got its figures wrong, both over-estimating the potential benefits and under-estimating the costs of compliance. According to the UK's impact assessment, the annual net cost of implementing and complying with the proposals in the UK will be between £100m and £360m each year with SMEs bearing the brunt of increased costs.
Over three and a half years later, we are close to seeing the final GDPR. The European Commission draft was followed by alternative drafts from the European Parliament and the European Council. The European Data Protection Supervisor has also published his own draft (with a handy app which allows the most dedicated followers of the GDP's progress to compare versions). In addition, we have commentary from regulators. The current expectation is that we should, at the least, have a good idea of what the GDPR will contain by January 2016, even if that will be some months before a final version is published. We certainly already have a much better view of the direction of travel.
The UK's impact assessment identified almost every area of the GDPR as a potential cost but a few areas were singled out as particular issues. Unsurprisingly, these were requirements to appoint a data protection officer (DPO), blanket reporting requirements on data breaches, requirements to carry out data protection impact assessments (DPIAs) and the administrative costs of demonstrating compliance. Disproportionately large fines for non-compliance were also of concern.
The impact assessment did agree that there would be some benefits to business under the GDPR. The reduction in bureaucracy and cost (minimal though it is) of notification and benefits associated with a 'one stop shop' regulator (see our article for more information).
When assessing the drafts on the table, it's probably fair to say that the Parliament's draft is less likely to hold sway than the Council's as it's the Council which holds the real power. So have the deliberations of the various stakeholders changed expectations around costs going forward?
One of the most controversial provisions of the Commission draft was the requirement on public authorities and companies with over 250 employees to employ a DPO for a minimum two year term. As the ICO (among others) pointed out, head count is not necessarily the most reliable way to assess whether the level and sensitivity of data processing requires a dedicated DPO. The Parliament changed the requirement to apply to any company processing the data of over 5000 data subjects which still doesn't address the sensitivity issue. Interestingly, the Council draft leaves it up to Member States to introduce any requirement for mandatory appointment of DPOs. Some countries like Germany already require DPOs under most circumstances and are strong supporters of having DPOs, not least because they won't have any additional costs under the new proposals, but the UK's assessment is that, as drafted by the Commission, the requirement to have a DPO would hit SMEs particularly hard. The Council's proposals are seen then as better for the UK but, if they win the day, we run the risk of a lack of harmonisation in this area.
Another contentious issue in the Commission draft was the stringent breach reporting provisions. The original proposals say data controllers need to report all data breaches to the relevant DPA "without undue delay and, where feasible, not later than 24 hours of becoming aware of it". In addition, they would have to inform data subjects "without undue delay" unless the relevant DPA was satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption. Data processors would be subject to the still more onerous requirement to report breaches to their data controller "immediately". There are a few glaring issues with these proposals. The first is that there is no exemption for breaches of a minor nature, the reporting times are incredibly restrictive and there is no required time limit within which a DPA needs to say whether or not data subjects need to be informed of the breach.
The Parliament's draft takes a slightly less onerous approach, removing the 24 hour requirement and allowing processors to report "without undue delay". There is also provision for providing information to the DPA in stages if necessary.
The Council's draft takes a more pragmatic, risk-based approach by making time limits more flexible and introducing a stipulation requiring that only breaches "likely to result in a high risk for the rights and freedoms of individuals such as discrimination, identity theft or fraud, financial loss [breach of pseudonymity], damage to reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage" be reported. In addition data subjects do not need to be informed if the data controller has implemented appropriate technological and organisational protection measures in relation to the data. This includes encryption or where the controller has taken subsequent measures to ensure that the high risk to data subjects is no longer likely to materialise.
It is to be hoped that the Council's draft will prevail here. It is still not perfect as it doesn't place any requirements on (what will be overburdened) regulators to respond to data controllers but it is certainly preferable to the versions which have gone before it as it significantly reduces the potential costs. That being said, whatever happens, there will be costs to businesses associated with the new requirements.
Under the Commission proposals, DPIAs need to be carried out by both controllers and processors before the processing of any personal data which presents a specific privacy risk whether because of its nature, scope or purchases. A DPIA must contain at least a general description of the intended processing operations, an assessment of the risks to the rights and freedoms of data subjects and the measures intended to address and reduce those risks. In addition the data controller is required to consult the data subjects (or their representative) on the intended activities.
Again, the Parliament went further than the Commission by including a requirement to assess the risks inherent in particular activities. It also includes an extended list of activities which might be considered to be risky enough to warrant a DPIA and extends the information a DPIA must contain. In addition, it imposes a requirement to review DPIAs on a regular basis and at least every two years.
Predictably, the Council steps back to a more pragmatic approach, and of the three versions, is the least burdensome on data controllers, limiting the requirement to carry out a DPIA to processing activities that are likely to be high risk and applying it only to controllers.
Whether or not an organisation is going to be affected by the new DPIA provisions will depend not only on the final version of the legislation but also on the nature of the processing it carries out. The more sensitive the processing, the more DPIAs will need to be completed. Of course, DPIAS are strongly encouraged by the ICO already and it is to be hoped that by the time the legislation comes in, most organisations likely to be affected will be familiar with DPIAs and will be carrying them out anyway.
Other Administrative requirements
Some may be surprised to learn that a key driving force behind the GDPR is the reduction of bureaucracy. This accounts for the disappearance of the current requirement to notify the local regulator about certain data processing activities. Instead, the Commission introduces a requirement to document compliance with data protection law by having policies, administrative measures and appropriate personnel in place. The Commission proposals included a long list of things to be documented which the Parliament reduced although it did introduce prescriptive formats and proposed the requirements apply to all organisations without an exemption for small companies. The Council suggests separate requirements for controllers and processors along similar lines to those in the Commission proposals but with some reduction in scope.
The Commission proposed a three tier system of fines of up to €1m or 2% of annual global turnover. This rose dramatically under the Parliament's draft to a maximum of 100,000,000 or 5% of annual global turnover. The Parliament's draft also set out criteria for assessing the level of a fine rather than adopting the approach of dividing them into different sets depending on the provision of the GDPR breached. The Council moved back to a model more along the lines of that suggested by the Commission but increased the list of specific offences which would attract particular maximum fine levels. National regulators would have discretion to set fines but some, including the ICO, have expressed doubts, not only over the lack of flexibility of sanctions, but also about issues which might arise from jurisdiction questions. These include the possibility of certain jurisdictions becoming known as 'light touch' and also the issue of a local DPA not being able to impose sanctions in its own jurisdiction if the main regulator is in another Member State (an issue touched on in the recent CJEU Weltimmo decision). It is probably safe to say that the maximum fine will be as originally proposed by the Commission but we may see changes to the offences in each tier and, hopefully, greater flexibility. One thing is certain, the sanctions for non-compliance will be far more serious than they are under the current regime.
Data controllers are doubtless anxious that some of the Council's (relative) pragmatism makes it into the final legislation. Until we know for sure, it's not easy to say for certain what the cost implications of compliance will be. And we mustn't forget that there may also be some benefits through the 'one stop shop' approach and, generally, because a greater degree of harmonisation across the EU should reduce costs associated with having to respond to different regimes in different EU Member States. That, after all, is one of the main aims of the GDPR.
It must also be taken into consideration that many businesses are processing more personal data than ever before and would be likely to incur increased data protection costs as that processing increases, even under the current regime. We know that organisations spend increasing amounts on security, insurance and data protection compliance so it is possible that those businesses already on top of data protection compliance will suffer less than those who haven't yet got with the current programme. The ICO recently issued its own advice on getting up to speed with the Data Protection Act 1998 as a pre-cursor to the GDPR and you can also listen to Taylor Wessing's webinar on the subject. It is safe to say that any cost impact of the GDPR will be reduced, or at least spread out for those who are well prepared.