This month, the Information Commissioner’s Office (the “ICO”) published a report prepared by London Economics (an independent specialist economics and policy consultancy) which aimed objectively to evaluate the potential implications of the draft proposals for a new General Data Protection Regulation (the “Regulation”) that will replace the current Data Protection Directive.
The main focus of the report is on: the overall cost to UK business to comply with the relevant provisions in the proposed Regulation; the articles in the Regulation that will cause the greatest challenges to UK business in terms of compliance; and the types of practical support and guidance the ICO could provide to businesses in implementing the proposed measures. What emerges from the report is that many UK businesses expect the repercussions of the new Regulation to be significant.
Uncertainty amongst business
The report provides insight into the types of support from the ICO that businesses would find most beneficial. The findings suggest that there is still a high level of uncertainty within business, particularly regarding the potential cost impact of the Regulation and how, in practice, many of the articles will be complied with. The report notes that whilst the European Commission has published an impact report that suggests the introduction of the Regulation will bring net savings for economic operators, there are concerns within business organisations, such as the Confederation of British Industry, that the Commission has overestimated net benefits to business gained from reduced administrative burdens, and that is has failed to calculate accurately the cost of implementing the proposed processes and procedures that will be necessary to meet the new obligations.
The report makes it clear that businesses would still benefit from the provision of further support from the ICO. It highlights the requirement for the provision of clear guidance regarding the scope of the provisions and a point of contact to deal with specific questions regarding the rules as being priorities. It notes that survey evidence has suggested that even the less complex proposals such as the provisions on fines and the new Data Protection Officer (DPO) requirements have been misunderstood by many businesses.
The report indicates that, because of uncertainty regarding the scope of some provisions of the Regulation, estimates as to the financial impact of new rules vary widely. The European Commission’s estimate is that net savings for economic operators will be around €2.3 billion. Conversely, in terms of the financial impact on business, the Ministry of Justice (the “MoJ”) has estimated a net cost to UK business of between £80 and £320 million a year.
As many as 82% of the survey respondents indicated that they were unable to quantify current spending on data protection. That figure rises to 87% in relation to the respondents’ ability to provide estimates regarding future spending on data protection after the new rules come into force.
According to London Economics, 40% of the businesses whose views were collected via the survey have inaccurate knowledge of all ten provisions considered; these companies reported systematically higher additional costs of compliance in relation to current levels. This supports the suggestion that fear of excessive burdens from complying with the proposed Regulation may in part be a result of misunderstanding or misinterpretation of the new provisions.
Sensibly, it is indicated that the ICO should focus its future support on firms deriving the most benefit from holding personal data or that the ICO perceive as posing a risk of causing considerable damage from data security related breaches. It is these types of firms that expect to incur the highest costs as a result of the new Regulation.
Compliance concerns – the key provisions
The report also examines the relationship between particular provisions and cost concerns. It uses responses from the MoJ’s Call for Evidence and insights from its Impact Assessment, to form a view on which provisions of the new Regulation will have the largest impact on UK businesses.
Key concerns amongst data controllers included, firstly, lack of clarity around some of the newly developed definitions (Article 4). For instance, respondents from the IT industry suggested that broadening the definition of “personal data” to include indirect identifiers such as IP addresses may inhibit businesses from providing certain services.
Articles 4(8) and 7, relating to consent and conditions of consent were also singled out. Concerns here related to the higher standard of consent required, now defined as “explicit”, and the proposed conditions for obtaining consent, which will place the burden of proving the requisite consent has been obtained on the data controller.
Article 5, relating to data minimisation (whereby collection of personal data is “limited to the minimum necessary”) has likewise provoked concern. Data controllers who responded to the MoJ’s Call for Evidence indicated that the financial impact of ensuring compliance of their existing databases with the proposed Regulation is potentially very large.
However the report notes that the provisions that have seen the most comment by respondents relate to the proposed new rights of data subjects (Articles 12, 17 and 18). Some are concerned that the proposed measures may have the unintended effect of distorting consumer behaviour. In particular there are concerns that Article 12 (“abolishment of the fee for subject access requests”) might lead to an increase in frivolous requests, which will in turn put a strain on budgets. Likewise the “right to be forgotten” (Article 17) is widely considered impractical.
Other provisions that the report highlights as potentially imposing an excessive financial burden on businesses include: the requirement that personal data breaches are notified to supervisory bodies within 24 hours (Article 31); the obligation to perform Data Impact Assessments (Article 33); mandatory employment of a data protection officer; and the potential for fines for non-compliance to reach up to 2% of annual turnover (Article 79).
Industry expects these provisions to be the most onerous both in terms of giving rise to immediate cost consequences, and also impacting on costs more indirectly over the long term.
Priorities for the ICO
Given the levels of uncertainty highlighted by the report, it is clear that the ICO’s priority should focus on educating business on the proposed new measures. London Economics suggest that there is a prevailing view that the ICO should make information available and accessible through multiple channels (including their website and having a manned point of contact such as a phone based information service). Precise and unambiguous advice is seen as the most beneficial support for businesses in preparing for the introduction of the new rules.
Certain sectors are singled out as either having a lack of knowledge of data protection rules or as being particularly at risk due to the Regulations. These areas include health and social work, financial and insurance companies, public administration bodies, as well as businesses in the service sector more generally. Importantly, the report notes that the number of companies in the sample taken that have had contact with the ICO in the past is small; the suggestion is that this must change if the introduction of the Regulation is to be successful.
The report paints the picture that there is still a lack of understanding about the Regulations which persists across business, with the problem being more pronounced in certain sectors; the ICO must therefore play a key role in providing education and support. Cost concerns are also high, but it appears from the report that at least some of this concern is founded on a lack of full understanding of the provisions, and that with the introduction of well targeted, clear guidance these concerns may be reduced.