The UK’s data protection authority, Information Commissioner’s Office (ICO), commissioned an independent survey investigating the understanding of the proposed EU data protection reform and associated costs. The survey involved 506 organisations, and one of the key findings is that as a general rule, businesses do not understand the implications of the proposed General Data Protection Regulation. In addition, as businesses are unable to assess their existing data protection costs, it is nigh on impossible to estimate costs of compliance with a new regulation, or to substantiate the cost savings of £2.3 billion estimated by MEP Viviane Reding. This makes it impossible to assess the overall cost implications of the reform.
The study identified five key cost-generating elements of the Regulation:
- Subject access requests
- Breach notification
- Data protection impact assessments
- Appointment of data protection officer (DPO)
- Increased fines
Elements with indirect impact on costs include the “right to be forgotten,” data portability, unclear definitions, a higher standard of consent, and data minimisation. The survey results found that almost half of the respondents didn’t fully understand any of the above provisions, and none of the respondents could accurately describe all of them.
Nearly four-fifths of respondents could not quantify their current data protection spend, and almost nine in 10 were unable to project costs post-reform. Only large organisations were capable of assessing current and expected costs, resulting in no clear picture of compliance costs. Existing predictions of the EU reform costs vary wildly. Notwithstanding MEP Reding’s estimated savings to businesses of £2.3 billion, the UK Ministry of Justice predicted that UK companies will suffer a net cost of between £80 million – £320 million per year.
The Information Commissioner, Christopher Graham, suggests that the benefits of the reform must be justified by the burdens, such that the ‘legislation [sic] delivers real protections for consumers without damaging business or hobbling regulators.’