Many commentators have remarked how very similar the Data Protection and Digital Information (DPDI) (No.2) Bill is to the original DPDI Bill published last June. If this is the case, how is it that the No.2 Bill’s projected “Best Estimate” savings is £4.7 billion over a decade, whereas the “Best Estimate” savings for the original DPDI Bill (the “No.1 Bill”) is a mere £1.45 billion over a decade?
Given the fact that there is no official comparison document, explanation or Keeling Schedule to explain these differences, nobody knows. I know inflation is high, but it is not running at 324%.
As an aside, the Impact Assessment Update also estimates the likely “annual export revenue loss” of the Adequacy Agreement with the EU (if it fails) as between £210 million and £378 million per year. Assessed over a decade (the standard unit of time preferred by the Update), that is between £2.10 billion and £3.78 billion. In other words, if the changes in the No.2 Bill lead to a discontinuation of the Adequacy Agreement with the EU, about half the “Best Estimate” savings are lost.
Some readers might recall I did a deep delve into the savings associated with the No.1 Bill. I have reworked these using the new financials reported by Government.
Hence this blog provides an alternative financial analysis, based on verifiable figures which are easy to obtain unlike the Mystic Meg approach adopted in the 230 page “Impact Assessment Update” published to justify the No.2 Bill (see references).
Real numbers used
I am using six additional facts which are missing from the “Impact Assessment Update”.
- Fact 1: Companies House has over 4 million companies registered in the UK (from Companies House website).
- Fact 2: The total number of controllers on the ICO’s public register is 1,066,929. The breakdown of registration is: Tier 1: 966,587 (90.6% of the register): Tier 2: 93,604 (8.8%); and Tier 3: 6,738 (0.6%). (Information from the ICO on 12 May 2022).
- Fact 3: Approximate registration revenue per year is: Tier 1: £33.8 million; Tier 2: £5.6 million; Tier 3: £19.5 million. The total ICO revenue collected is £59.0 million per year which is calculated by multiplying the number of controllers in each Tier, by the annual notification fee for each Tier (Tier 1 (£35); Tier 2 (£60); Tier 3 (£2,900)).
- Fact 4: The Annual Report (2020/21) indicates the cost of running the ICO is £56.4 million.
- Fact 5: There are 67.1 million data subjects resident in the UK as per July 2020 (ONS website).
- Fact 6: The “Impact Assessment Update” states the true net benefit is between £1.27 billion per decade and £8.53 billion with the “Best Estimate” in the middle at £4.7 billion. Note that the “best estimate” of the No.1 Bill is more or less the “low estimate” of the No.2 Bill (hmmm – how convenient!).
So what kind of questions do Facts like the above this raise? Three spring to mind immediately:
- From Facts 1 and 2, it can be seen that only 1 in 4 companies at Companies House is registered with the ICO. So could the ICO garner more in notification fees (e.g. by looking for active companies registered at Companies House but not registered with the ICO)? This improved revenue stream could help the ICO generate more resources to provide clear advice to controllers. This would be better than changing the law to improve the clarity of the UK_GDPR as claimed by the Government (see para 2 of the Explanatory Notes to the No 2 Bill).
- From Facts 3 and 4, could any future surplus in notification fees be earmarked by the ICO to employ more staff to deal with complaints? This better than the proposal in the No.2 Bill to deal with the ICO’s complaints system by allowing the ICO to dismiss, or not investigate, complaints from data subjects (e.g. in Clause 40).
- Should the notification fee (fixed in 2018) be increased? For example, increasing the notification fee for Tier 2 to £100 and Tier 3 to £3,500 increases ICO resources by over £10 million. An increase in fee that adjusts for inflation since 2018 (about 20%) would do something similar.
It is well known that the ICO has a significant backlog of cases; the last Annual Report (2021/22) shows that 57% of cases often take over 6 months to resolve. The three options above give the ICO more resources to clear that backlog. However, increasing ICO resources fails to get a mention in the “Impact Assessment Update”.
Notification – who pays?
Fact 4 shows that notification to the ICO costs £0.6 billion per decade. So, abolishing notification fees would provide significant saving for all controllers; it would also a release a cohort of staff at the ICO to do things other than pen-pushing notification work (e.g. redeployed to reduce any backlog of complaints). Evidently there are over 900 staff at the ICO!
It is well known that data protection is a balance between the interests of controller and of data subjects. So why should controllers be faced with 100% of the costs of data protection compliance, when UK data subjects benefit directly from provisions in the UK_GDPR that protect them. Surely, data subjects should contribute to the costs of data protection?
Historically, notification is a relic from the DPA1984. It was created at a time when most organisations did not have a main-frame computer and those that did have a computer, had only one. Hence charging the minority of single computer owners (via notification fees) for the cost of regulation is understandable.
Now every citizen processes personal data as a controller (e.g. on social media) and is also a data subject. So there are stronger arguments that the cost of data protection regulation should be drawn from general taxation with the ICO being a Parliamentary Officer like the Parliamentary Ombudsman (to maintain ICO independence).
Any consideration of the cost of notification or its abolition is missing from the “Impact Assessment Update”.
Savings? The real comparison
I am using the “Best Estimate” of £4.70 billion of savings over 10 years; this represents £470 million of savings per year over all controllers (£1 billion =£1,000 million). As there are 1.07 million controllers (Fact 2), the average saving for each controller can be calculated at £439 per year per controller. This is about £8.40 per week per controller; about the price of a bottle of plonk.
The conclusion one reaches is that such savings are insignificant. Even a small business in Tier 1 (turnover up to £632K) is not going to get into financial difficulty because it does not save £8.40 per week. The statement in the Press Release announcing the No.2 Bill (“new common-sense-led UK version of the EU’s GDPR will reduce costs and burdens for British businesses and charities”) is exposed to be palpably false and, dare I say it, “rubbish”.
So, suppose the UK_GDPR were unaltered; what would be the cost of maintaining the high level of GDPR protection for each data subject? As there are 67.1 million data subjects in the UK (Fact 5), the savings of £470 million per year infer an cost of maintaining current UK_GDPR standards is £7.00 per year per data subject. This equates to 13.5 pence per data subject per week, or just under 2p per day.
In other words, the Government are prepared to abandon the high level of UK_GDPR protection for all data subjects in order to save tuppence per day for each data subject. There is a well-known phrase “to spend a penny”; it appears the Government does not want to spend two.
Even if the £470 million yearly savings were all allocated to the 6,738 large controllers in Tier 3, the average annual saving is £69,753 per large controller. This is an amount that would be unlikely to be identified in the balance sheet of a such controller as its revenues are in excess of £36 million per year.
The £69,753 figure is also below the cost of employing a DPO (which most large controllers are likely to employ, but not for much longer as the DPO role is being abolished as a savings measure).
Even if the £470 million were allocated to all the larger controllers in Tier 2 and Tier 3, the annual savings would be £4,683 per controller. There again pifflingly small for companies with turnover up to £36 million. Even if all controllers were on the minimum turnover for Tier 2 (£632K), the savings represents 0.7% of turnover. Again such comparison shows that the financial savings associated with the “burdensome paperwork” are negligible.
Remember all these numbers (e.g. 2p per day) are, according to the figures a best estimate; they could be much less.
Finally, suitably buried on page 218 of the “Impact Assessment Update”, are the annual costs that arise from the loss of trading with the European Union if the Adequacy Agreement is lost. Over a decade, this loss is somewhere between £2.1 billion and £3.8 billion; the Update calculates that between 2817 and 9601 firms trading with the EU will also go bust.
Is the loss of Adequacy described in the Press Release or any relevant Ministerial statement about the No.2 Bill? Of course not; Brexit is a roaring success as we all know.
Concluding comments
Also missing from the “Impact Assessment Update” is any acknowledgement that large firms trading into Europe have to comply with the EU_GDPR as well as the No.2 Bill. Such firms have to additionally appoint a Representative and adsorb the cost of EU_GDPR compliance.
Many private sector controllers in Tier 3 are likely to have to comply with twin data protection compliance regime (i.e. guesstimate around 4,000 controllers).
In summary, the press release headlined: “British Businesses to Save Billions Under New UK Version of GDPR” is pure spin. Of course, that is the point of spin. This headline figure in the Press Release has been parroted unthinkingly by the press and some DP observers (who really should know better).
However, it is a relief that the Secretary of State has not repeated her non-sensical claim made at the Party Conference last November that the UK_GDPR compliance cost 8% of company profits - or £23 billion (see references).
In summary, it is difficult to avoid the conclusion that the figures presented in “Impact Assessment Update” and Press Release are of a quality best displayed on the side of a red Brexit bus (as driven by “honest” Boris Johnson).
Data Protection (Courses:Spring/Summer)
An all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill. Will be held on Thursday 18 May 2023. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection PRACTITIONER Course is in London on Monday, 22 May 2023 to Friday, 26 May 2023 (5 days: 9.30am to 5.30pm).
- The next Data Protection FOUNDATION Course is in London on June 20-22, 2023 (Tuesday to Thursday, 3 days: 45am to 5.00pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing [email protected].
References
DCMS fails to spend a penny to protect data subjects: https://amberhawk.typepad.com/amberhawk/2022/05/dcms-fails-to-spend-a-penny-to-protect-data-subjects.html (old financial analysis of the DPDI No.1 Bill)
GDPR cost UK £23 billion says Minister in charge of data protection https://amberhawk.typepad.com/amberhawk/2022/11/gdpr-cost-uk-23-billion-says-minister-in-charge-of-data-protection.htm (completely bonkers)
The Press Release associated with DPDI No.2 Bill: https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr
DPDI Impact Assessment and other DPDI documents: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1140162/Data_Protection_and_Digital_Information_Bill_Impact_Assessment_-_June_2022.pdf
The DPDI No 2 Bill: https://bills.parliament.uk/bills/3430