A recently published study, commissioned by the UK Information Commissioner’s Office (the 'ICO') and conducted by London Economics, has found a clear lack of understanding by UK businesses around the proposed reforms to the EU data protection regime.
The study was commissioned by the ICO in order to evaluate the potential implications for UK businesses of the draft proposals. Among other things, the study considered which articles in the proposed regulation would cause the greatest compliance challenges/benefits for UK businesses.
Concerns were raised by businesses about the expected direct costs that would need to be incurred in order to ensure that they were compliant (e.g. the requirement to appoint a data protection officer). However, 82% of the businesses surveyed were unable to quantify their current spending on data protection compliance, highlighting a concerning lack of knowledge about how data protection affects businesses fiscally and raising the question as to whether these businesses could properly gauge whether there were indeed grounds for concern.
More worryingly, a number of companies indicated that they were uncertain about the scope of the provisions and how they will affect current/new business areas. Indeed, the study concluded that “[u]ncertainty is pervasive across the provisions of the proposed regulations” with 40% of the companies participating in the survey having inaccurate knowledge of the ten particular provisions covered by the study. Furthermore, none of the businesses could accurately describe the requirements of those provisions. This lack of knowledge even extended to major data processors (in this case, those holding over 100,000 records).
On a more positive note, 21% of firms surveyed had been in contact with the ICO previously and, compared to firms that had not, these firms were much more likely to approach the ICO about the new legislation. This suggests that the ICO’s advisory role is working well.
Priorities for the ICO
Not surprisingly, London Economics concluded that there was a key role to be played by the ICO in educating and supporting businesses with the changes, not simply in relation to the more frequently misunderstood provisions (e.g. the ‘right to be forgotten’) but also on the new rules in relation to mandatory fines and data portability. It also recommended that the ICO should focus its work on organisations which face economic risks from breaches as well as in sectors where knowledge was particularly low. They highlighted the service sector in general but also singled out the health, finance, insurance and public administration sectors as requiring the ICO’s particular focus.
However, while the legislation has not yet been passed, it is concerning that UK business are, in effect and by and large, relying on the ICO to educate them rather than themselves taking taken pro-active steps to prepare themselves for the imminent changes by understanding their future obligations and what measures they will need to implement in order to ensure compliance.