The General Data Protection Regulation (GDPR) will impose a new legal framework providing citizens of member states with a high level of protection of personal data. Given the requirements to make businesses more accountable for their data practices, rising costs of compliance are a main concern.
With the emerging global digital economy and the increasing popularity of cloud computing services, the 1995 EU Data Protection Directive (also known as Directive 95/46/EC) is becoming obsolete. As EU officials identified the need for reform, GDPR will bring EU’s data protection practices into the modern era.
On December 15th, the trio of negotiating parties comprising the European Commission, the European Parliament and the Council of the European Union agreed to toughen the EU’s data protection regime. After a few years of consultations (since 2011), the final text has been agreed and will be formally adopted by the European Parliament and Council this spring, and then applied by data protection authorities over two years.
You can find key points of the text of the GDPR here.
Impact assessment in a nutshell
According to EU officials, the reform package is designed to end the ‘patchwork’ of data protection rules that currently exist in the EU, reducing red tape for firms. Under the new regime, businesses will deal with a single supervisory authority, creating cost savings of €2.3 billion a year.
Reducing the cost of regulation for businesses is crucial for growth. Across Europe, governments and EU institutions are recognising that the abolition of unnecessary EU burdens is vital to maintaining competitiveness. This will indeed improve competition not only in the internal market but also in external markets.
Indeed, as a result of the reform, businesses will have to comply with one set of harmonized rules across Europe, which will considerably reduce the costs of doing cross-border business in the internal market.
According to the Impact Assessment delivered in 2012, this can “be perceived by many businesses as a competitive advantage, providing a business environment where the legitimate and safe processing of personal data is rewarded with the trust of more consumers […] The reform is likely to have a positive impact on consumer confidence in online environments, so that increased volume of transactions of goods and services through online channels can be expected”.
The new legal framework will also boost capacity for product innovation and “European industry could become world leaders in privacy enhancing technologies or privacy by design solutions, drawing business, jobs and capital to the European Union. Privacy enhancing tools for data transfer and aggregation, as well as cloud computing will generate new business opportunities.”
In other words, the clarification and harmonization of data protection rules across the EU offers a larger, more streamlined and more open market for investment and increases incentives for innovation.
SMEs exemptions: a must
While EU officials seem very confident regarding GDPR’s impact on EU economic dynamics, a significant number of firms are either ignorant or sceptical about the proposed changes.
Source: 2015 Kuan Hon kuan0.com
SMEs in particular are likely to be hurt by the new regime because “the long list of data related requirements under the new rules will overburden smaller companies”, as observed by the ICDP.
The UK’s Impact Assessment concluded that the European Commission proposal could have a net cost to the UK economy of £100-£360 million per year, of which £80-£290 million would be borne by SMEs.
Slaughter and May explain that “for many UK based businesses, even those which are part of larger organisations, it is difficult to see where major cost savings will come from. Even where red-tape has been reduced (for example the scrapping of the notification requirement) additional obligations mean that a similar, or higher, level of resources will be required to meet the new obligations”.
Source: European Commission
Taking account of the concerns of industry regarding the administrative and financial costs of implementing some of the proposed changes – and recommendations from the UK’s Department of Business Innovation and Skills – some exemptions from the Regulation’s provisions have been made for SMEs.
It seemed crucial for negotiators in Brussels to ensure rules will be proportionate to the risks at stake, therefore avoiding the possibility of imposing disproportionate burdens on small companies.
That is why measures with a potential cost impact such as the appointment of Data Protection Officers and the conduct of data protection impact assessments, have limitations and thresholds included in the relevant legal obligations, limiting the impacts on SMEs. SMEs would also not be fined for an initial non-intentional breach.
Managing globalisation: The EU’s regulatory influence
The EU legal framework for data privacy has often served as a benchmark for third countries when regulating data privacy.
For instance, European regulations have become the facto international standards within data privacy regime with 1995 Data Privacy Directive; although the US actively opposed the EU approach, more than 30 countries emulated EU regulations, including key markets such as Japan, Canada and Australia.
Because GDPR’s effects might extend outside Europe, it could become a game changer for the digital economy. The European Union is now at a turning point of reinventing data protection for the 21st century.
Urging businesses to get compliant
Stewart Room, privacy lawyer and partner at PwC, recommends businesses to take action now and not to leave this analysis until the political negotiations are complete: “entities now need to get themselves ready for the new law. There’s no time to waste, because the workload is massive. Anyone working in this field will already know that it can take years just to get simple tasks moving on data protection”.
Indeed, as full implementation of the GDPR is expected for 2017, now seems to be the best time for companies to prepare and start reviewing the way they collect, store and share data with these new data protection regulations in mind. This will enable them to ensure on-going compliance and therefore avoid devastating fines and reputation damage in the future.
