Report highlights uncertainty on cost of EU data protection reform
- GP surgery manager prosecuted for illegally accessing patients’ medical records
- ICO warns marketing rules must be kept to during lead up to Scottish referendum
- Temporary workers still require adequate data protection training, warns ICO
- Private investigators convicted of unlawfully obtaining personal information
- International enforcement agencies join forces to thwart caller identification spoofing
- Report: Implications of the European Commission’s proposal for a general data protection regulation for business (pdf)
- View Christopher Graham's presentation (ppt)
- Blog: EU data protection reforms - the areas of the proposals attracting most debate
- Blog: EU data protection reforms - how the process works, and what the ICO is doing
News release: 14 May 2013
- 40 per cent of companies don’t fully understand any of the ten main provisions being proposed
- 87 per cent unable to estimate likely costs of draft proposals to their business
- ‘Debate must be based on valid evidence. This reform is too important for guesswork’ – Information Commissioner
An independent survey commissioned by the Information Commissioner’s Office has found a clear lack of understanding across business around the proposed EU data reforms.
That uncertainty extends to businesses’ estimated cost expenditure on meeting their data protection responsibilities under the new law, bringing into question the data on costs found in existing evidence, for instance figures produced by the European Commission and Ministry of Justice.
The findings are published today in a report by London Economics. It was commissioned by the ICO to better understand the challenges the planned reforms would place on UK businesses, and included a survey of 506 businesses.
The study also found:
- 82 per cent of survey respondents were unable to quantify their current spending on data protection
- Estimated average costs of data protection are skewed by a small number of observations by large organisations, who are more able to put a figure on their data protection expenditure
- The vast majority of companies with over 250 employees or processing more than 100,000 records already employ a member of staff focused on data protection compliance, a key part of EU proposals
- Key sectors need to be targeted with information about the plans: the service sector (specifically health and social work), financial and insurance services and public administration
The report is being launched today at the third European Data Protection Day conference in Berlin today. Information Commissioner Christopher Graham said:
"Few people I’ve spoken to disagree with the need for an updated European data protection law to better meet the challenges of the 21st century. But to deliver real improvements, it’s crucial that legislation is developed that better reflects the way personal information is used today and will be used in the future.
"The key is finding the right balance between the theory and the practice of strong data protection rights. Inevitably, there will be burdens for those who have to deliver the benefits, whether businesses or regulators. The question is does the benefit justify the burden?
"There has been much talk of ‘what is best for business’, but that must be based on valid evidence. This reform is too important for guesswork.
"Today’s report is the latest contribution from the ICO to this debate. We’d urge the European Commission to take on board what it says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators.
"Similarly, businesses and other stakeholders need to constructively engage with the debate about burdens and the importance of privacy rights, while the process can still be influenced."
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
4. For more information, please contact the ICO press office on 0303 123 9070.