The European data law will come into effect in December 2017. The EU Parliament, Council and Commission have committed to finally conclude talks on its content this December, and implementation to follow two years later.
If the current draft of the GDPR is not changed it is predicted to cost the UK digital advertising sector more than £500,000,000 in lost revenue, according to the Internet Advertising Bureau.
Currently the draft regulation will place additional restrictions on companies’ ability to process data, making the new rules more restrictive than those now in force. For example, current content of the draft GDPR may be interpreted as outlawing the processing of aggregated customer data that provides advertisers with crucial information about the effectiveness of their ads. According to the IAB, the law could cost UK companies £633 million a year in lost advertising revenue.
A report for the Information Commissioners Office found appointing a data protection officer will cost between £50,000 and £75,000 annually, and for UK businesses of all types a total of £229 million. For SMEs it could add £182 million to salaries, and for larger companies £47 million a year.
Consumer-facing financial companies are estimated to have to pay between £100,000 and £500,000 to become compliant, but just as important is the loss of revenue created by a failure to obtain the new higher level of opt-in consent from consumers, which will lead to losses of revenue running into countless millions due to data files having to be erased.
Other big data users, such as the utility, grocery, e-commerce and IT sectors, face the same challenges of having to upgrade consumer consent, and where they fail having to write-off large swathes of income generating data.
The report claimed charities and membership organisations may find fundraising impossible, and extra revenue will have to be found by them to cover a necessary increase in telemarketing.
However, 87% of the 506 companies surveyed said they are unable to calculate the amount compliance preparation will cost, with 82% unaware of their current spending on existing compliance rules.
One responder to the survey predicted that GDPR would cost their company £5 million to become compliant, and £1 million a year to maintain it. A sizeable minority said there are no financial implications of any kind in preparing for GDPR.
The Ministry of Justice produced research of its own that concludes the cost to UK business could be as high as £320 million a year, and £2.1 billion over 14 years. This is countered by the understanding that greater emphasis on compliance regulations will save between £42 million and £124 million in fines.
The EU itself predicts the cost to European business will be £580 million, and there will be a £2 billion administration saving because multiple national data rules will no longer exist.
This ignores the fact that regulatory authorities in each European country will have leeway to enforce and apply sanctions as they see fit, meaning pan European brand owners will still contend with different regulatory regimes with their own interpretations of the law.
In the consumer data sector itself, the Direct Marketing Association believes tighter regulations on consent could lead to a 50% fall in turnover for list brokers, and a similar drop in business for data cleaning services.
Data companies could face a one-off cost of £500,000 for system development in order to meet consumers’ ‘right to be forgotten’ and subject access fees. Data portability will cost another £100,000 in system changes.
Most companies that employ 250 people or more, and those with more than 100,000 consumer data files, already have a job position focused on compliance. The cost to train them on GDPR will be £7,600.
Whatever the costs will really be, the cheapest way to tackle GDPR is to start preparing as soon as possible. The later it is left the more expensive and disruptive it will be, and the 16 months in which to prepare will not be enough for some companies.
An ICO representative recently said that if companies make a concerted effort to become EU law compliant by the time it is introduced, leeway would be provided in terms of the imposition of the considerable sanctions it can apply. However, it was stressed that token efforts would not count.
After December 2017 the ICO could come knocking at anytime, plus members of the public may be given the right to claim damages for misuse of their information. On top of everything else, a PPI style claims bonanza is something data users could do without.
Sourced from Jeremy Whitaker, Chairman, Verso Group