One of the reasons Britain is leaving the European Union is that business lobby groups that fund the Conservative Party were fed up with the costs that EU regulations impose on business. The thinking behind many of the regulations, especially in the area of employment, is that in a single market everyone has to play by the same labour market rules.
Laws such as the Working Time Regulations and Agency Workers Regulations, which result in increased costs for employers, apply to every member state. If the UK rolls back some of these provisions post-Brexit, UK employers will be at a competitive advantage, which is why they can’t roll them back and remain in the single market.
In a ranking of the Top 100 costliest EU-derived regulations in force in the UK, right-wing think tank Open Europe in London ranks the EU Data Protection Directive from 1995 in tenth place. According to Open Europe, the cost to business of complying with data protection rules is twice as large as complying with providing agency workers with the same benefits as full-time staff.
In 2018, the Data Protection cost burden is going to escalate sharply. The General Data Protection Regulation (GDPR) was enacted in May 2016, with a two-year transition to becoming law on 25 May 2018. The GDPR is a significantly updated set of regulations around data privacy and protection, and it will apply to all companies processing the personal data of individuals (or ‘data subjects’) residing in the EU, regardless of the company’s location.
Personal data, as understood by the EU, is a broad concept, covering any information that can be used to directly or indirectly identify the person. That can include IP addresses, customer lists, manually filed addresses etc. GDPR gives individuals a raft of new rights about accessing the information that companies hold about them and it puts far more responsibility on companies to manage the data properly.
The EU Commission is waving a big stick behind GDPR. The maximum fine for breach of the regulations is 4% of annual global turnover or €20m, whichever is greater. For the first time under Irish law, individuals will be able to sue for non-material damage in addition to material damage arising from data privacy breaches.
The huge new red tape burden associated with GDPR is going to generate thousands of new jobs – paid for by employers. Under GDPR, a Data Protection Officer (DPO) must be appointed where a business’s core activity involves data subject monitoring on a large scale, or where particular types of data are handled in large quantities. The legislation is vague about what this means exactly, but it likely includes tracking and profiling consumers online.
‘Large scale’ monitoring is also ambiguous, as there is no minimum threshold regarding employee numbers or the numbers of ‘data subjects’ being monitored. Doubtless many SMEs will find themselves affected by this and the financial repercussions of them not appointing a DPO could be drastic. Some businesses will hedge their bets and put a DPO in place regardless, but the EU says that not just anyone will do. The Data Protection Office must have expert knowledge of privacy and data security, and not be a standard employee drafted in just to meet the regulation.
Other stipulations in GDPR require businesses to get an individual’s consent - explicit consent is also used in the legislation - to store data about them. It’s not clear yet just how explicit this consent needs to be, but it seems that pre-ticked boxes will not be enough to qualify as consent. GDPR also warns against securing consent by using “long illegible terms and conditions full of legalese”.
Businesses will also need to ensure that customers find it as easy to withdraw consent as to give it. Data subjects will also be able to demand any personal data on them that is held by a company free of charge and in an electronic format. The EU legislation wants to make ‘privacy by design’ a legal requirement within GDPR, where up to now it was regarded as a guiding principle at best.
In Ireland, Data Protection was legislated for by the Data Protection Act 1988, which was amended in 2003. These regulations were dreamt up with the digital age was in its infancy - Facebook was only launched in 2004. Since then, consumers have become habituated to freely giving up personal data about their browsing and buying habits, social activities, general likes/dislikes etc. That information is gold dust for advertisers, who can use it to build up a detailed picture of individuals.
In theory, SMEs stand to gain from the introduction of GDPR. Having one set of regulations in place is far easier than having to navigate 28 different privacy setups across the EU. This one-stop shop approach to data protection will save businesses €2.3bn annually, the EU claims.
However, in practice GDPR isn’t the one-stop shop it purports to be. It will still permit EU states to devise their own data protection legislation in a number of areas, including employee data. Because of this, the Brussels European Employee Relations Group, a lobbying group, estimates that GDPR could end up costing European businesses an extra €3.3bn per year.
Derek Mooney, formerly Director of Public Affairs with BEERG, notes that GDPR excludes the area of employee data from the EU-wide ‘one stop shop’ by specifically providing that each member state shall also be empowered to regulate in this area.
“For most companies their employee database is their biggest database, sp large corporations will not be able to get by with just one DPO,” says Mooney. “How could a DPO in the Netherlands deal with a complaint from a Spanish employee if the laws in Spain are different from the laws in Holland?”
Ambiguity also blurs what ‘large scale data processing’ means for SMEs – how do they know if they legally require a Data Protection Officer? Liam McKenna, a partner in Mazars with expertise in IT regulations, notes that the original GDPR draft specified that a company size of minimum 250 staff would be the limit at which businesses were required to have a DPO. That stipulation was removed before GDPR was enacted replaced with criteria to do with the scale and scope of processing.
“My reading is that smaller companies that do not process personal data outside of staff data should be able to operate without a DPO,” says McKenna. “However, these companies will still have to comply with GDPR and are at financial and reputational risk if they don’t do so."
“Having a DPO will support an ongoing focus and hopefully compliance. We are dealing with several companies that have a staff of under 20 people but are processing data of tens of thousands of individuals. These organisations are having to make significant investment to meet the GDPR requirements.”
McKenna adds that the policy thinking underpinning GDPR is to ‘protect’ individuals. “If a company is small but processes large amounts of personal data, it most definitely should consider itself ‘large scale’. If a company doesn’t think it needs a DPO, it would be sensible to document the reasons for this belief. In the event of a data breach or a complaint, being able to demonstrate it seriously considered the DPO issue might help if the Office of the Data Protection Commissioners engages with the organisation.”
George O’Dowd, managing director of Novi, an IT services firm, has been vocal about the need for SMEs to significantly shape up before GDPR takes effect. “What constitutes ‘large scale’? To reach an answer, businesses need to examine the data on individuals they are collecting, storing and processing,” says O’Dowd. “There’s a difference between an online retailer that captures financial and address information systematically and a business supplier that maintains an email mailing list.”
O’Dowd expects that GDPR will be enforced with rigour, and SMEs will have nowhere to hide if they are negligent in meeting the GDPR standards. “SMEs would be well advised to start preparing for the arrival of the GDPR now, specifically in relation to the data protection and cyber-crime prevention solutions that they put in place.”
Liam McKenna in Mazars points out that GDPR is not easily understandable. “It has 785 clauses across 99 articles and is written in legalese,” he says. “It’s difficult to see how a small company could interpret and respond to the GDPR without external help.”
McKenna adds that as a citizen he fully supports GDPR. “Our privacy is being eroded bit by bit and it is becoming very difficult for us as individuals to protect ourselves. I am grateful that the EU takes privacy seriously and is attempting to stem the tide."
“However, as a business person I see GDPR as an arduous regulation to comply with. In Mazars Ireland we process external payroll for clients and as such we are a large data processor. We recognise that compliance with GDPR will have a financial cost.”
This article first appeared in Business Plus magazine May 2017.