Privacy & Cybersecurity Law Blog

On May 14, 2013, London Economics published the results of an independent survey commissioned by the UK Information Commissioner’s Office (“ICO”) to help understand the challenges that the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) may present to UK businesses (the “Report”).

The Report highlights a lack of understanding of the Proposed Regulation by UK businesses. Of the 506 businesses surveyed, 87 percent of respondents were unable to estimate the likely cost of complying with the requirements of the Proposed Regulation, and 82 percent of respondents were unable to quantify their current spending on data protection compliance.

The uncertainty surrounding the cost implications of the Proposed Regulation is an important issue. The European Commission has estimated net savings of €2.3 billion attributable to the Proposed Regulation; in contrast, the UK Ministry of Justice has forecasted that compliance with the Proposed Regulation would cost the UK between £100 million and £360 million per year. The Report suggests that the financial impact is in fact unknown, stating that “what is best for business” must be based on valid evidence, and that the reform is “too important for guesswork.”

The Report also reveals that many businesses in the UK already are voluntarily implementing some of the provisions that will become mandatory, such as the appointment of a data protection officer. According to the Report, the vast majority of respondents with over 250 employees already employ staff with a job position focused on data protection compliance, as do most companies that maintain more than 100,000 records and have a greater perceived risk of security breaches.

In the ICO’s news release on the Report, the ICO “urge[s] the European Commission to take on board what [the Report] says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or lobbying regulators.”