U.K. Businesses Clueless Regarding the Costs of Compliance to European Union's Data Protection Reforms
Considered exceptionally restrictive in scope and lacking in any agility or flexibility to meet business needs, the proposed data protection reforms being promoted by the European Union (EU) are completely misunderstood by the majority of UK businesses. Only 40% or four in ten understand the implications of the proposed laws on their businesses, including the costs of compliance, necessary steps to gain EU-wide compliance, and the continual recertification procedures. These findings and more are presented in the results of a survey commissioned by the Information Commissioner's Office (ICO) by London Economics. The study, titled Implications of the European Commission's proposal for a general data protection regulation for business. Final report to the Information Commissioner's Office, is available for download on their website.
The study is paradoxical in its results, showing how badly the EU has provided prescriptive guidance to enterprises throughout UK and the broader EU consortium, while at the same time showing how difficult umbrella-like coverage is to manage for data protection legislation. The EU has attempted this type of very broad, strategic data protection legislation in the past (Iowa Law Review, 1995) (Amidon, 1992), eventually having to settle for data protection legislation specific to a given EU nation as they did with the UK previously (Charkiewicz, 2001).
Despite the many challenges to defining a strategic, umbrella-like coverage of the EU for data protection measures that would be significantly more stringent that the U.S. Department of Defense and other global government agencies, the EU still struggles to gain commitment and support. One of the main contributing factors to its opposition is the lack of understanding of the costs and benefits associated with the proposed legislation (Berrong, 2010). An essential part of the benefits that EU nations will accrue from the legislation include a net reduction in administrative costs of at least £2.0B per year, in addition ot another £2.5B reduced due to better coordination and synchronization of data protection laws across member states. This is net of the costs of £496M that the EU projects will be the costs for businesses to gain compliance to the new laws, and an additional £17M for personal data break monitoring. All of these costs were computing before the United States' PRISM scandal, a troubling development as much of the EU consumer data used by American companies is often managed by the companies involved in that program. Viviane Reding has made it clear that the EU will vigorously defend its right to audit how its data is used and has also said that PRISM has made the EU curtail advanced plans for sharing additional data with the United States (Hancock, 2013).
A Failure To Communicate At Multiple Levels
EU Commissioner Viviane Reding initially completed here data protection bill in 2012, and it has since been under review by the European Parliament. The EU has most recently said that the legislation, while far-reaching and highly regulatory of data use and ownership, will not go into force until 2015 at the earliest in order for EU-based businesses to have the opportunity to better plan for and get prepared for compliance. The EU has deliberately created this legislation to stay consistent with the foundational elements of the U.S. Privacy Act of 1974, in addition to critical areas of the Organisation for Economic Cooperation and Development Guidelines (Crook, 1983). It has also been specifically designed to be in compliance to European Union Directive 95/46/EC, in addition to the Asia-Pacific Economic Cooperation Privacy Framework (Rosler, 1995). With so much invested in this legislation and its probable ratification by the European Parliament imminent (by legislative timeframes), its imperative that British businesses have an opportunity to prepare for compliance (Desai, 2013). Yet according to a study completed by the Information Commissioner's Office (ICO) shows that the majority of UK businesses are completely unprepared to attain compliance with the new data protection bill with 60% not knowing what the implications are for their business in the short- or long-run.
The Information Commissioner's Office (ICO)'s study included interviews with 506 UK-based companies and found 87% of them failed to have even a rudimentary knowledge of how to attain compliance to the directive. In addition, the following findings were published in the reports of the research:
40% of the UK companies in the survey do not understand the 10 major provisions of the bill, with just 2% being able to list all ten.
82% of the respondents don't have a budget to attain compliance to the data protection act as the majority of them don't know how much it will cost, what the overall timeline is for compliance, or how they can manage ongoing compliance efforts.
Of the three types of companies that served in the respondent base, the small and medium businesses (SMBs) were the most confused and completely unaware of the plans. Larger firms with 250 employees or more with 100K recorders were better equipment to gain compliance to the 10 major provisions of the bill.
London Economics completed an analysis of survey results and in it provided a roadmap of the summary of costs shown in the following graphic. Transitory costs including updating legacy data and system development are driven by data minimization and right to be forgotten or (Massey, 2009) data reduction and elimination from EU systems
. Ongoing costs include those that have traditionally have been associated with decreased competitive advantage. An analysis of the results from the study is shown in the following graphic, Summary of Costs.
The Information Commissioner's Office (ICO) study results showed that the direct effects of the proposed legislation would reduce risk of data los and identity theft, enhance consumer trust in online channels, and improve the quality of personal care data, all driving better decisions over the long-term. These are very significant benefits for any business, yet are completely misunderstood and not be acted on today by the majority of UK businesses. A Summary of Benefits is shown below with the new legislation, direct effects and indirect benefits defined as defined in the Information Commissioner's Office (ICO)'s findings.
The EU is doing its best to package up the data protection legislation from the standpoint of its potentially positive economic impact. Missing for much of their literature and forward materials are the costs as it relates to staffing and process redefinition throughout UK businesses. It is very evident that the majority of UK businesses are ill-prepared for compliance to this initiative. What is particularly troubling about the lack of education pertaining to the EU data protection law is the irony that those who must comply to stay in business are the least aware of it. Small and medium enterprises are completely unaware of how the broader, strategic data protection initiatives of the EU will impact their daily performance and long-term profitability (Doleys, 2013). Mid-tier companies are more prepared and as the survey has shown, enterprises with 250 or more employees often have a staff role just dedicated to data protection compliance alone.
The need for managing data compliance across all enterprises is urgently needed however and the majority of UK businesses also have not been following this from a cost, compliance or long-term strategic initiative standpoint. The end result will be many small businesses paying exceptionally high fees for consultants to quickly get them in compliance. The role of the management consultancies including Infosys, HCL and others will flourish because of this legislation, while it will force entirely new burdens on UK businesses precisely in an area of the market that can ill afford it. The most paradoxical issue of all is that by enforcing such a stringent data protection standard, the EU may inadvertently slow the flow of information and constraint business growth.