A survey of 506 data professionals working in UK businesses, carried out by London Economics on behalf of the UK Information Commissioner’s Office (ICO), reveals today that 87 per cent of them don’t know what it will cost to implement the EU’s General Data Protection Regulation.
Worse still, accurate understanding of the new regulation, likely to come into force in 2016, is very scant indeed. The survey interviewees were asked questions about the 10 main provisions proposed by the new law and 40 per cent failed to give a fully accurate description of any of them. Not one. And these are data specialists.
You might say, given that the regulation hasn’t even been passed by the European parliament yet and that it will be three years before its impacts are felt, that the current level of ignorance is not a serious concern.
But there’s another key reason why businesses should urgently start familiarising themselves with the regulation – a reason that has received virtually no public attention so far. According to the EU committee putting together the data reforms, consumers should now be entitled to claim for damages resulting from “non-pecuniary losses”.
That means they wouldn’t have to suffer financial problems as a result of a company’s illegal data practices in order to be awarded damages. It means they would only have to show they have suffered distress.
The argument in favour of reforming data protection laws is that breaches that have the potential to cause such distress should become rarer, because data collection is minimised and the accuracy of the data held should be improved. But clearly, the punishments for any lapses will be higher and the barriers against consumers taking legal action will be lower. They could also launch class actions in groups, represented by consumer associations, for example.
Aside from the costs of actually complying with the law, this particular change opens businesses up to a whole new level of potential liability they’ve never been exposed to before. Breaching the rules because you don’t know what they are could incur penalties that threaten the very existence of some small companies.
The ICO’s research shows that businesses don’t appreciate how fundamental the EU’s proposed reforms to data protection are. It may be nearly three years before the new law is actually enforced, but it will drastically change the way you use data.
The only way to get a handle on it – and how much it could cost you – is to start preparing now.