Out-Law News 2 min. read
14 May 2013, 1:34 pm
London Economics, an economics and policy consultancy, said that it had surveyed 506 individuals who have "data protection responsibilities in their place of work". However, it said that none of the respondents could "accurately describe" 10 of the main provisions laid out in the European Commission's draft General Data Protection Regulation.
The provisions range from rules on subject access requests, consent and data breach notifications to the 'right to be forgotten' and data portability.
"As many as 40% of companies that participated in our survey have inaccurate knowledge of all 10 provisions considered," London Economics said in its study. (98-page / 1.49MB PDF) "None of the survey respondents accurately describe all 10 provisions. This suggests that a large proportion of companies in the UK do not have a clear grasp of how data protection regulation will change once the EC proposals are enforced. This lack of understanding persists for companies that hold over 100,000 records of personal data. Companies in the services sector are most likely to record high levels of uncertainty."
"Survey evidence suggests that even seemingly straightforward measures like the provisions on fines and DPO requirements are insufficiently understood by many businesses," it added.
London Economics said, though, that "ignorance" of the proposed reforms may not be entirely to blame, with it being possible that the lack of understanding is "driven by the complexity of the proposed Regulation and the persistent uncertainty about the meaning and implications of some of its provisions".
Insurance firms and health bodies are among the organisations that the ICO should give more help to on data protection matters, London Economics recommended.
"Our survey confirms that organisations in health and social work, financial and insurance services and public administration warrant the ICO’s attention," it said. "These sectors combine high perceived risk with relatively low levels of knowledge about the proposed Regulation. Knowledge also is limited in the services sector, even though risks are seen as lower."
Most UK businesses (82%) do not know how much they currently spend on data protection, whilst 87% could not estimate how much their compliance costs would be under a reformed data protection framework, London Economics added.
"The majority of businesses are unable to quantify their current spending in relation to data protection responsibilities under existing law – and this persists in relation to estimates for expected future spending under the new proposals," London Economics said. "This uncertainty indicates that existing evidence on the financial impact of the regulation is difficult to corroborate. Further research is required to clarify some important issues, such as the role of privacy and data protection in determining the level and intensity of consumer participation in online markets."
The European Commission has claimed that its proposed data protection reforms could save EU businesses a total of €2.3 billion, but the UK's Ministry of Justice has, in contrast, estimated that UK businesses will in fact face additional compliance costs of up to £320 million a year.
Information Commissioner Christopher Graham said "real improvements" to data protection laws can only be delivered if the reforms deliver legislation "that better reflects the way personal information is used today and will be used in the future".
"The key is finding the right balance between the theory and the practice of strong data protection rights," Graham said in a statement. "Inevitably, there will be burdens for those who have to deliver the benefits, whether businesses or regulators. The question is does the benefit justify the burden? There has been much talk of ‘what is best for business’, but that must be based on valid evidence. This reform is too important for guesswork."
"We’d urge the European Commission to take on board what [the London Economics study] says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators. Similarly, businesses and other stakeholders need to constructively engage with the debate about burdens and the importance of privacy rights, while the process can still be influenced," he added.
