We finally have a date for the introduction of the European data law. The EU Parliament, Council and Commission have met and decided they will conclude talks on its content at the end of this year, and implementation will take place two years later.
There was no celebrating when the announcement was made, and there is little chance of any cheer to come in late 2017 when the General Data Protection Regulation takes effect. For marketers it is going to cost a huge amount of time and money, and wipe out huge amounts of consumer data.
Research commissioned by the Information Commissioners Office (ICO), the authority responsible for both briefing business and regulating on all matters to do with data, found that 87 per cent of companies are unable to estimate the cost of preparing for the new data compliance regulations.
A significant minority believe there will be no cost element at all, which is a delusion more or less guaranteed to result in a fine that could run to an eight figure sum, or two per cent of company turnover.
A spokesperson for the ICO recently said it would give leeway to any organisation that had made a recognisable attempt to be GDPR compliant, but token efforts would not count. It is difficult to know if this will offer comfort to the 82 percent of the 506 companies surveyed that said they are unaware of their current spending on existing compliance rules. This was despite the fact that the individuals that responded to the survey being responsible for company data protection.
One response predicted that GDPR would cost their company £5 million to become compliant, with a further £1 million a year to maintain it. The Ministry of Justice own research indicates the cost to UK business at up to £320 million a year, and £2.1 billion over the next fourteen years, but believes greater emphasis on stricter compliance regulations will save UK businesses between £42m and £124m in fines.
The EU itself predicts the cost across Europe to business in becoming compliant at an implausibly low £580m, but with a £2bn administration saving due to the scrapping of multiple national data rules. The problem with the savings prediction is that the regulatory authorities in each European country will have leeway to enforce and apply sanctions as they see fit, which will not make life easier for pan European brand owners and agencies. Also, marketers work across multiple media formats and come under the influence of many different regulations. Streamlining one is not likely to create a major financial bonus.
Some sectors are going to be hit harder than others. For consumer facing financial companies the cost for meeting the new compliance standard is estimated at between £100 and 500k. But loss of revenue due to stricter consent regulation could lead to a fall in revenue of many millions a year. If companies fail to get consumers to agree to refresh opt in consent to the new higher level then huge swathes of data will be lost forever. For some companies data is a prime asset, and stripping it away will put some out of business.
The utility, grocery, e-commerce and IT sectors and other big database users also face major challenges in preparation, so too Charities and membership organisations. The new consent standards may make fundraising for some charities impossible. Extra revenue will have to be found to cover a necessary increase in telemarketing. In fact, high quality tele marketing may be about to come into its own as the most effective way of persuading consumers to refresh consent to the new level, plus it offers the opportunity to sell direct at the same time and thus retrieve the costs created by the new regulation.
Most consumer data providers face severe challenges. Ironically, there has been confusion among many about what GDPR will mean to them, and many are unprepared.
The cost in achieving compliance for data companies that have not prepared to follow a GDPR protocol for sometime will be high, but so too the cost in data lost due to the failure to refresh permission. Costs and losses in the sector will run to untold millions, and according to the Direct Marketing Association tighter regulations on consent may lead to a 50 percent drop in turnover for list brokers, and there could be a 50 percent fall in business for data cleaning services.
For digital advertisers and digital agencies clarification on the treatment of pseudonymous data within GDPR is crucial. If the law goes against the use of such information the Internet Advertising Bureau predicts a loss in ad’ revenue of £633 million a year. For some agencies it will mean an end.
Other predictions in the ICO report include the belief that GDPR may cost SMEs that use direct marketing as much as £76,000 a year, which equates to £47 billion across the sector. The cost of training marketing staff in compliance is estimated at £7,600. The appointment of a data protection officer if needed, would be between £50,000 and £75,000 annually. The total annual cost of employing data officers in SMEs could be £182 million, for larger companies £47 million, and for UK businesses of all types a total of £229 million.
The majority of companies that employ 250 people or more, plus those with more than 100,000 consumer records, already have a job role focused on data compliance, so in theory investment in human resources will be centred on training rather than hiring.
Even if new appointments are not necessary at every company it still means an army of compliance specialists will be required to fill the newly created positions. This begs the question of where they are going to be conjured from. Unless there is there is an unknown hothouse academy training thousands of soon to be compliance professionals then there is going to be a serious shortfall in people and knowledge. And who is going to provide all of the training needed. Another secret academy would be useful.
Of course, data companies will try and take up much of the slack, but currently many are in a worse position than their clients in terms of preparation. For many its looks like there will be a last minute dash to become compliant.
Sooner or later the ICO will be alerted to those that do not comply. The new law may also put in a provision for members of the public to claim damages for misuse of information, and if that happens it is not unrealistic to expect some sort of PPI type claims bonanza.
There will be some who knowingly point out that if the UK votes itself out of the EU then GDPR will not apply. If this happened there would be a major push to qualify to be in the European Economic Area. It is a bit like being in the EU but with a much smaller contribution to the central financial pot, no voting power and fewer regulations, but fewer regulations still means a huge number and that would in all likelihood include GDPR.
The answer, of course, is to prepare now. Find a source of support that really knows what they are talking about and get prepared sooner rather than later. After December 2017 who knows when there may be a knock on the door.
By Jeremy Whitaker, Chairman at Verso Group.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus