ICO survey: More research needed on DP Regulation's cost impact
The large majority of respondents (87%) to an ICO survey on the implications for business of the proposed EU Data Protection Regulation are unable to estimate future consequential spending.
However, the areas where companies expect further costs are: subject access requests, breach notification within 24 hours, data protection impact assessments prior to risky processing operations, the obligation to appoint a data protection officer, and the imposition of large fines for failure to comply.
More indirect cost implications are expected for the "right to be forgotten", data portability, lack of clarity around some definitions, a higher standard of consent, and data minimisation.
Companies that were able to offer cost estimates put forward, for example, the following figures:
- A one off cost of £500,000 for system development to meet the right to be forgotten, privacy by design and removal of subject access fees (a data service provider for retailers).
- Reviewing and updating legacy data to comply with the Regulation's requirement for explicit consent would cost approximately £6 Million (a global data company).
Many commentators have said that the European Commission overestimates the net benefits to business from reduced administrative burdens. On the other hand, this survey by London Economics says that estimated average costs of data protection are skewed by a small number of observations by large organisations, who are more able to put a figure on their data protection expenditure.
This survey reveals that the vast majority of companies with over 250 employees or processing more than 100,000 records already employ a member of staff focused on data protection compliance.
The survey, published on 14 May, is based on responses by 506 UK based businesses.