ICO publishes confused and confusing report on GDPR

"Today’s report,” says Information Commissioner Christopher Graham, “is the latest contribution from the ICO to this debate. We’d urge the European Commission to take on board what it says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators.”

This is in line with the UK government position: firstly that the Regulation should be a Directive, allowing individual countries to implement it in line with local conditions and preferences (this would prevent the EC ‘hobbling’ national regulators when national governments want more or less severe sanctions than those prescribed by the Regulation). And secondly, that some of the requirements should be relaxed since they will prove costly – especially for small business – to implement; and will therefore harm rather than benefit business.

Graham also adds that the “Debate must be based on valid evidence. This reform is too important for guesswork.” The problem, particularly where costs are concerned, is that the report provides very little valid evidence beyond the acknowledgement that business has little understanding of what the costs will be. Two of the key findings of the London Economics research are that “40 per cent of companies don’t fully understand any of the ten main provisions being proposed,” and that “87 per cent [are] unable to estimate [the] likely costs of draft proposals to their business.”

However, there is so much unresolved controversy over some of the proposals (the right to be forgotten is a prime example) that that the proposals are difficult to understand and currently impossible to cost. It is not at all clear whether the right to be forgotten is technically possible, so gauging potential costs at this stage is clearly impossible. How it would affect international companies is an additional complexity; and US companies will need to consider its implication in relation to the First Amendment. 

"It's a laudable concept,” said Lisa Sotto, a partner at Hunton & Williams and chair of the DHS Data Privacy and Integrity Advisory Committee last week, “but the problem is how in the world do you operationalize this? Because data is propagated and disseminated in so many different ways. And if I post something about Anita, why is it Anita's right to then be able to delete that data? Who's to say whether it is accurate or inaccurate? So it's a very tough issue."

However, it is clear from the research that any new net costs to business will primarily affect small businesses. One of the GDPR’s proposals is that companies should have a dedicated data protection officer. According to the report, the majority of companies with more than 250 employees and 10,000 records to protect already employ such an officer. Smaller companies do not. New costs imposed by the GDPR will therefore affect smaller companies disproportionately.

Graham’s conclusion is less confused. “Businesses and other stakeholders need to constructively engage with the debate about burdens and the importance of privacy rights, while the process can still be influenced."

What’s Hot on Infosecurity Magazine?