Informed consent rules will hit credit-sniffers
However, one credit reference agency said financial services firms could be particularly affected by increased costs in defending against claims by individuals that they had not given their consent to processing.
"With the burden of proof now with the data controller it may be that every challenge by a consumer (or organisation acting on the consumer's behalf) will require, in the case of a credit reference agency search being challenged, a copy produced of the original consent obtained by our client at the time they carried out the search of our database," the credit reference agency said. "This may prove very costly, highly bureaucratic and time consuming for both us and our clients should organisations such as claim management companies target such activity."
The MoJ outlined its intention to seek an "overhaul" of the current drafting of new rules on individuals' so-called 'right to be forgotten'. It said it would seek changes "given the practicalities and costs and the potential for confusion about its scope for both organisations and individuals." However, it added that individuals should have the right for the personal data to be deleted "where this is appropriate". Some businesses have estimated that the cost of "changing their business processes" to comply with the right to be forgotten could be as much as £100,000.
Provisions contained in the draft Regulation enable individuals to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information. However, organisations can oppose the deletion if they can show they have a right to publish the data under the principle of freedom of expression or if it is in the public interest for the data to remain in existence.
Other respondents questioned whether requiring businesses to build-in privacy by default into new service designs would bring more benefits than costs.
Data portability to affect trade secrets, property rights
Concern was also raised that planned new 'data portability' rules do not allow for organisations to protect their trade secrets and intellectual property rights. The Commission's plans provide consumers with a general right to switch electronically processed personal data from firm to its rival through a "commonly used" electronic format. Businesses said that the costs involved in changing systems to comply with data portability requirements could be as much as £5m and that those costs would likely have to be absorbed by consumers.
Plans for the detail for the operation of the proposed new data protection regime to be fleshed out in 'delegated acts' drawn up by the Commission were also criticised. Businesses had said that if the Commission dictated the "technological format and specifications" to be used, such as in relation to compliance with the data portability rules, it could leave companies "at a financial loss" where those firms had already developed and invested in alternative industry standards.
The MoJ said that a review of the "monetised costs" of compliance of current UK data protection laws had estimated that data controllers spend around £53m meeting the requirements of the laws and that an extra £1m is borne by the justice system enforcing the framework. The review had concluded, though, that the "true cost of compliance" was likely to be higher.
"The [review] also found non-monetised costs which included extra staff hired to ensure compliance with the [Data Protection Act (DPA)], costs for those who have received penalties, as well as impacts where the incorrect application of the DPA has stopped organisations sharing information," the MoJ said.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Put it in perspective
The article quotes government figures for the costs of this compliance. They bandy around £1m here and £53m there, as if we're supposed to throw up our hands in horror. What they keep very close and don't tell us is what these figures are as a proportion of everyday business costs across the whole country.
I realise that businesses don't like the idea of people actually having to give consent before they squirrel away terabytes of our personal information - just so they can pester us with adverts for stuff we don't want. However given the costs and turnover of british industry, even £147m in additional expenditure (or "jobs", as the traditionalists would have it) seems like a tiny drop in a very large ocean.
So complying with the law and people's rights conflicts in small ways with how you would like your business. Not my problem.
They could actually SAVE a lot of money.
Simple -- don't collect unnecessary data in the first place. If you don't collect it, then you don't have to delete it.
I suspect more than 90% of data collected comes under the "unnecessary" heading. Result -- far far more money saved by *not* collecting the data, and no cost to delete data you don't have.