Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

The cost of complying with new data laws [1998] PLBIRp 8; (1998) 44 Privacy Laws and Business International Report 12

Cost of complying may be higher than expected

COMPLYING WITH THE NEW national data protection laws which implement the EU Data Protection Directive means an extra burden for business. The biggest cost factors for business will be training the staff, revising security arrangements and dealing with data subjects’ requests. Compliance costs will become clear only when we know how people will use their new rights.

The new data protection laws will affect businesses of all sizes in Europe. As the data protection directive’s def- inition of processing is much wider than in the current UK law, in future, literally every possible method of pro- cessing personal data will be included. This means that some operators who have in the past not been caught under the UK 1984 Act, will now have to comply. An example of this type of

nesses in different fields, including organisations within local govern- ment and charities.

The main cost factor in complying with the new law was thought to be contact with data subjects. Some companies already receive subject access requests and have personnel to deal with them. It is, however, the individuals’ new rights which may impose extra costs on business amounts to larger compliance costs.

THE REGISTRAR DISAGREES WITH COST ESTIMATES

The UK Data Protection Registrar has criticised the estimated figures as being far too high. She has pointed out that complying with the 1984 Act already makes businesses 80% com- pliant with the new Data Protection Bill. In her view, some companies

activity is the processing of images. However, the directive has cost may have overestimated the impact of the new law and ended up calculatin

implications also outside Europe. EU-based businesses which need to resort to contracts in order to be able to transfer data to third countries are currently busy seeking profes- sional advice on drafting contracts. The same activity is going on in many companies in third countries.

HIGH COSTS IN THE UK

IN THE FIRST YEAR

When the new data protection bill was published in the UK in January

(PL&B Feb ’98, p.7), the Government estimated that the start-up and recur- ring costs for UK businesses and public sector organisations to comply would be £1,892 million in the first year. More than half of this figure consists of start-up costs which will only apply in the first year.

The Government based its esti- mate on a survey of 46 organisations representing different size of business.

First of all, subject access now extends to manual records. This is a completely new right in the UK, as well as in many other EU Member States. How actively individuals will use this new right remains to be seen. The UK bill also extends the right for individuals to seek compensation for damage or distress suffered. The interpretation of this right is currently being debated in the House of Commons. If court costs and com- pensation need to be paid, all this

costs that will not occur.

EU COMMISSION ADVISES ON COST EFFECTIVE COMPLIANCE

The European Commission will soon publish a handbook which gives some general advice on how businesses can plan for compliance cost effectively.

1. It is suggested that companies should first audit their data process- ing practices, including those carried out by third parties.