In January this year, the European Commission published an Impact Assessment which estimated that the new Data Protection Regulation would bring administrative savings to the EU, totalling €2.3 billion each year. An analysis published by the Government, last Friday, claims that the burdens would far outweigh the net benefit estimated by the Commission. For the UK alone, the UK claims that the annual net cost of the Regulation (in 2012-13 earnings terms) is estimated to be between £100 million and £360 million a year.
So who is correct?
The first thing to do is compare like with like. We can crudely extrapolate the total cost of Data Protection Compliance in the UK to all Member States of the EU if we assume that the burdens identified by the UK Government apply to the rest of Europe. We can do this by multiplying the UK calculated costs in proportion to the Qualified Majority Votes the UK has in the EU.
So for instance the UK has 29 out of 345 votes (the total for all Member States). So if between £100 million and £360 million a year is represented by the number 29; 345 relates to between £1.2 billion (€1.5 billion) and £4.3 billion (€5.3 billion).
Yes, I know it is a crude estimate, but it brings into focus what the UK Government is actually claiming: that the EU’s calculation is rubbish. We can also say that either the UK or the EU have their numbers badly wrong – perhaps, fraudulently so!
The Government’s view is that the Commission both overestimates the benefits achieved through harmonised EU data protection law and fails to address the full costs and unintended consequences of its own proposals, by only considering “administrative costs”.
The UK claims that its analysis addresses some of these failings by considering in full the impact of the proposed regime, including the additional costs for businesses, including small and medium enterprises, the additional costs to supervisory authorities, conducting data protection impact assessments and complying with other new obligations.
In its financial report, the UK Government estimates that:
• Notifying data loss breaches will cost £90 million per year
• Subject Access Requests (SARs) Requests will cost £30 million per year
• Data Protection Impact Assessments (DPIAs) will cost £80 million per year
• Data Protection Officers (DPOs) will cost £160 million per year
• ICO costs will increase to £40 million per year
• Demonstrating Compliance will cost £30 million per year
Commentary on the above cost estimates
The Government state that the costs associated with notifying data losses are £90 million per year for five years, increasing to £100 million within 5 years. I have some difficulty with this figure as the cost of data losses is more or less constant over 2016-2025.
In my view, this constant profile does not take account of the regulatory framework which will increasingly fine such data losses; additionally the requirement to undertake DPIAs should also identify and reduce risks. Given that most data controllers will want to reduce their exposure to risk I would have expected that the cost profile of data loss would decrease over 2016-2025.
According to the Government’s costings, SARs cost between £50-£100 each and cost £30 million per year over 2016-2025. To arrive at this the £30 million figure, the Government are estimating that there are going to be an additional half a million Subject Access requests per year because access is free. Personally, I can’t see why there should be an extra half million subject access requests just because subject access is free to the data subject.
In my experience, data subjects use a SAR to sort out some personal problem or other with a specific data controller; whether the cost is £10 or £zero, a small fee is not going to dissuade data subjects from seeking access.
In addition, there are 355,000 registered data controllers. Spread those half million SARs around these data controllers, then you have an average increased work-load of 1.5 SARs per year per data controller. This increase in SARs, expressed in this way, does not appear onerous to me. In addition, as more and more data controllers provide on-line access to customers to their own personal data, then I would expect the number of formal SARs to decline and not flatline as in the Government’s Impact Assessment
Data Protection Officers (DPOs) are assumed to cost £160 million per year. Well I think that many large data controllers have allocated someone to do the data protection job (with job title data protection officer). I therefore have serious doubts about this number in the Impact Assessment as it takes no account of the current position where such data protection staff already exist.
With respect to Data Protection Impact Assessments, I simply don’t believe the £80 million price tag. Doing a DPIA is a job for the DPO isn’t it? If “yes”, we have some double accounting here. The Government in fact thinks a small DPIA costs £11,200 (page 21 of the Impact Assessment). Also, as the point of a DPIA is to integrate data protection compliance into a new and existing processing; if done properly, it should reduce year on year DP compliance costs and risk factors.
Likewise with the “keeping documentation requirements”
• Maintaining documentation of all processing activities (Article 28);
• Maintaining documentation of data protection impact assessments that are carried out (Article 33)
• Documentation on the data protection officer (Article 35);
• Obtaining prior authorisation from the supervisory authority for processing (article 34).
The Government see these activities as costing £20 million a year; by contrast, I see it part of the DPO’s role which is already accounted for.
According to the Government, the ICO’s office needs to more than double its current data protection budget to £40 million per year. What do you think the response would be if a public body approached Government and said “Please can I have twice as much?”. Simply not credible.
In its statement to Parliament, the UK Government reverted to the stance it has taken since 1984; the fact that data protection is seen more as a cost on business than protection of the individual. This is made clear in the Parliamentary statement which concludes:
“The UK Government is seriously concerned about the potential economic impact of the proposed data protection Regulation. At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States.”
Finally, can I just put contrary figures? There are 60 million data subjects in the UK and 355,000 registered data controllers. The Government are complaining that £200 million per year is too much; this is £564 per data controller per year or £3 33 pence per data subject per year over all data controllers. This latter figure is less than a penny per day.
So, I will ask you a question: is your privacy worth a penny per day? If so, then the Government's costings can be dismissed.
I have some real issues with how this Data Protection Regulation works for Data Controllers; cost is not one of them.
.
References
Download the Government costings here: Download Blog Nov2012 eu-data-protection-reg-impact-assessment
Parliamentary Statement about the costings is at http://www.parliament.uk/documents/commons-vote-office/November_2012/22-11-12/7-Justice-DataProtection.pdf
Advert
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.
Comments
You can follow this conversation by subscribing to the comment feed for this post.