UK businesses confused over EU data reforms, says ICO
28 May 2013
40% of UK businesses do not fully understand the European Commission’s proposed data reforms in the draft Data Protection Regulation, according to a recent survey commissioned by the Information Commissioner’s Office (ICO). The survey, which was carried out by London Economics, found that respondents had inaccurate knowledge of the 10 key provisions in the draft Regulation. Businesses find abstract provisions such as the right to be forgotten particularly problematic.
None of the survey respondents accurately described all 10 key provisions:
1) Higher standard of consent
2) Lack of clarity around definitions
3) Data minimisations
4) Data portability
5) Right to be forgotten
6) Subject access requests
7) Data security breach notifications
8) Data protection impact assessments
9) Obligation to appoint a DPO
10) Fines.
Question mark over potential costs of the Regulation
Organisations that are unsure about the proposed changes in the draft Regulation are likely to report higher costs for implementing them, the survey found. This raises questions about existing evidence on the financial impact of the proposed data reforms.
Even large businesses find it hard to understand the proposed changes. For instance, one of the changes requires large organisations (250 employees plus) or those that keep more than 100,000 records of personal data to appoint a data protection officer. Many of these businesses already employ someone who focuses on data protection compliance and so are already satisfying the new requirement.
What’s more, while these large firms are able to produce an estimate of their data protection spend under the current legislation, 82% of businesses cannot. Unsurprisingly, 87% of businesses are also unable to estimate the increased costs of the proposed changes. This means that the current estimates of the cost of the proposed changes in the draft regulation are already not representative of UK business as a whole. So the authors call for more detailed investigation.
And let’s not forget that the proposed changes are complex and there is still uncertainty as to what exactly they will be. The draft Regulation is being amended both in the European Council of Ministers and by the European Parliament, and some of these amendments will clearly have implications for the cost of the proposed changes to UK businesses.
Implications for UK analytics industry
The 10 key provisions in the draft Regulation (above) are particularly burdensome for UK businesses either because of the direct cost of the changes or because of the uncertainty as to whether the changes will affect existing business practices or close off new and emerging developments.
An example of this is the potential impact on the analytics industry of making IP addresses personal information. Currently IP addresses are not classed as personal information unless the analytics is being carried out for an internet service provider.
Businesses call on ICO to provide advice and guidance
Businesses want the ICO to play a key role in educating them about the proposed changes in the draft Regulation, the survey found. They would like to see information about the proposed changes on the ICO website and a helpline, coupled with an awareness campaign.
Businesses would like ICO guidance on the areas that cause most confusion: the right to be forgotten; the removal of subject access request fees; the requirement for larger firms to appoint a data protection officer; the new regime for imposing fines; and changes allowing consumers to download their information from utility suppliers.
ICO survey a valuable contribution to data reform debate
The results of the survey are a useful contribution to the debate and the DMA hopes that the ICO will use the findings to ensure that the implementation strategy for the draft Regulation takes into account the concerns raised by business.
This should minimise the implementation cost while achieving the goal of having the same rules across all 27 Member States of the European Union and increasing consumer privacy.
James Milligan, Solicitor, Direct Marketing Association