An independent survey commissioned by the ICO has found a clear lack of understanding across business around the proposed EU data reforms.
That uncertainty extends to businesses’ estimated cost expenditure on meeting their data protection responsibilities under the any new law, bringing into question the data on costs found in existing evidence, for instance figures produced by the European Commission and Ministry of Justice.
The findings were published on 14 May in a report by London Economics. It was commissioned by the ICO to aid understanding of the challenges the planned reforms would place on UK businesses, and included a survey of 506 businesses. Bullet points emphasised by the ICO include:
· 40% of companies don’t fully understand any of the ten main provisions being proposed
· 87% were unable to estimate likely costs of draft proposals to their business.
The study also found that:
- 82% of survey respondents were unable to quantify their current spending on data protection.
- Estimated average costs of data protection are skewed by a small number of observations by large organisations, who are more able to put a figure on their data protection expenditure.
- The vast majority of companies with over 250 employees or processing more than 100,000 records already employ a member of staff focused on data protection compliance, a key part of EU proposals.
- Key sectors need to be targeted with information about the plans: the service sector (specifically health and social work), financial and insurance services and public administration.
The report was launched on 14 May at the third European Data Protection Day conference in Berlin. Information Commissioner Christopher Graham said:
‘Few people I’ve spoken to disagree with the need for an updated European data protection law to better meet the challenges of the 21st century. But to deliver real improvements, it’s crucial that legislation is developed that better reflects the way personal information is used today and will be used in the future. The key is finding the right balance between the theory and the practice of strong data protection rights. Inevitably, there will be burdens for those who have to deliver the benefits, whether businesses or regulators. The question is does the benefit justify the burden? There has been much talk of ‘what is best for business’, but that must be based on valid evidence. This reform is too important for guesswork.
Today’s report is the latest contribution from the ICO to this debate. We’d urge the European Commission to take on board what it says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators. Similarly, businesses and other stakeholders need to constructively engage with the debate about burdens and the importance of privacy rights, while the process can still be influenced.’
View the full report including executive summary (pdf)