Ignorance of EU data reforms will cost you dear

Businesses are clueless about EU data protection reforms. That’s a dangerous way to be, given that they could be sued just for causing distress.


A survey of 506 data professionals working in UK businesses, carried out by London Economics on behalf of the UK Information Commissioner’s Office (ICO), reveals today that 87 per cent of them don’t know what it will cost to implement the EU’s General Data Protection Regulation.

Worse still, accurate understanding of the new regulation, likely to come into force in 2016, is very scant indeed. The survey interviewees were asked questions about the 10 main provisions proposed by the new law and 40 per cent failed to give a fully accurate description of any of them. Not one. And these are data specialists.

You might say, given that the regulation hasn’t even been passed by the European parliament yet and that it will be three years before its impacts are felt, that the current level of ignorance is not a serious concern.

But there’s another key reason why businesses should urgently start familiarising themselves with the regulation - a reason that has received virtually no public attention so far. According to the EU committee putting together the data reforms, consumers should now be entitled to claim for damages resulting from “non-pecuniary losses”.

That means they wouldn’t have to suffer financial problems as a result of a company’s illegal data practices in order to be awarded damages. It means they would only have to show they have suffered distress.

The argument in favour of reforming data protection laws is that breaches that have the potential to cause such distress should become rarer, because data collection is minimised and the accuracy of the data held should be improved. But clearly, the punishments for any lapses will be higher and the barriers against consumers taking legal action will be lower. They could also launch class actions in groups, represented by consumer associations, for example.

Aside from the costs of actually complying with the law, this particular change opens businesses up to a whole new level of potential liability they’ve never been exposed to before. Breaching the rules because you don’t know what they are could incur penalties that threaten the very existence of some small companies.

The ICO’s research shows that businesses don’t appreciate how fundamental the EU’s proposed reforms to data protection are. It may be nearly three years before the new law is actually enforced, but it will drastically change the way you use data.

The only way to get a handle on it - and how much it could cost you - is to start preparing now.

Readers' comments (5)

  • We need to take back self governance from the E.U. This country is perfectly capable of self regulation on all fronts. It is about time the E.U. was audited from top to bottom & the results made public to show how corrupt the biggest public sector gravy train in world really is!

    Unsuitable or offensive? Report this comment

  • Appreciate the point, but its abit naive of the EU to put out new legislation without it seems a real idea of the current maturity of data management across the EU (govt bodies and the EU Fortune 1000 corporates).

    IMHO, DPA might currently be a tick box but not clearly understood and its a pain enforcing it when not high on corporate risk registers.
    Saying 'jump' without support, training, public awareness is abit hit and miss to say the least.
    How long it has taken to arrive at these policies that have been out of date for so long and then expect everyone to pick the red hot poker up has slim chance of succeeding especially with the rampant pace of data innovation.
    Until ICO policies are taken seriously & enforced this area will continue to be grey with legislation.

    Unsuitable or offensive? Report this comment

  • Simon, I think you make good points. The EU seems determined to legislate - ostensibly to protect consumers, but it's being done in a very top-down way without much communication to businesses or indeed the public (in the UK at least).

    Perhaps MEPs think the two-year grace period will be plenty of time for companies to adjust, but if you look at the 'cookie law', it suggests big corporates will adapt while SMEs and consumers remain largely ignorant.

    The GDPR will result in much more fundamental change, but it seems to get little coverage outside some very specialist debate halls for now. If there isn't a stronger effort to engage businesses and the public (as well as the press) nobody will experience any benefit from this process.

    Unsuitable or offensive? Report this comment

  • Interesting article, and comments - but where's the best place to find the details on these impending new regulations?

    Unsuitable or offensive? Report this comment

  • Regarding Paul Craycraft's comment above, the Direct Marketing Association has put together a comprehensive layman's guide to the draft EU Data Protection Regulation: http://dma.org.uk/eu-data-protection

    Unsuitable or offensive? Report this comment

Have your say


Job of the Week

Top Jobs


+media Facebook Twitter LinkedIn