Weighing up the cost implications of the GDPR
The new EU data law, or General Protection Data Regulation (GDPR), will collectively cost marketing data users billions in becoming technically compliant. A recent survey by Vanson Bourne reveals that nearly 70 per cent of companies will invest in new IT or support services, and 51 per cent have allocated budget for staff training in preparation for the new law.
Every brand and agency faces its own unique compliance challenge, but broadly the to do list is the same in terms of the tasks to be completed. What is certain is that most have not calculated the cost. A report for the Information Commissioners Office (ICO) reveals that 87 per cent of companies are unable to calculate the amount compliance preparation will cost, and 82 per cent of the 506 companies surveyed said they are unaware of their current spending on existing compliance rules.
One responder to the survey predicted that the regulation would cost their company £5 million to become compliant, and £1 million a year to maintain it. The Ministry of Justice produced research of its own that concludes the cost to UK business could be as high as £320 million a year, and £2.1 billion over fourteen years. This is countered by the belief that greater emphasis on compliance regulations will save between £42m and £124m in fines.
A sizable minority believes there is no financial implication of any kind in preparing for GDPR. For such companies something to bear in mind is that a representative of the ICO said recently that there would be leeway for companies and other organisations that have made a recognisable attempt to be GDPR compliant, but not succeeded. Token efforts would not count.
Additional staff costs
Some companies will need to appoint a data protection officer, who will cost between £50,000 and £75,000 annually, and for UK businesses of all types a total of £229 million. For SMEs it could add £182 million to salaries, and for larger companies £47 million.
The EU itself predicts the cost to European business will be £580m, and there will be a £2bn administration saving because multiple national data rules will no longer exist. This ignores the fact that regulatory authorities in each European country will have leeway to enforce and apply sanctions as they see fit, meaning pan-European brand owners will still contend with different regulatory regimes with their own interpretations of the law.
Consumer facing financial companies are estimated to have to pay between £100,000 and 500,000 to become compliant, but just as important is the loss of revenue created by a failure to obtain the new higher level of opt-in consent from consumers, which will lead to losses of revenue running into millions.
Big Data challenges
Other big data users, such as the utility, grocery, e-commerce and IT sectors will also face major compliance challenges. The report claims charities and membership organisations may find fundraising impossible, and extra revenue will have to be found by them to cover a necessary increase in telemarketing.
In the data sector itself the Direct Marketing Association believes tighter regulations on consent could lead to a 50 per cent fall in turnover for list brokers, and a similar drop in business for data cleaning services.
Data companies could face a one-off cost of £500,000 for system development in order to meet consumers ‘Right to be forgotten’ and subject access fees. Data portability will cost another £100,000 in system changes.
Implications for advertising
Digital advertisers still require clarification on how pseudonymous data will be treated within GDPR. If the law goes against their interests the Internet Advertising Bureau believes there will be a £633 million a year loss in advertising revenue in the UK, which would wipe out a large swathe of agencies.
Most companies that employ 250 people or more, and those with more than 100,000 consumer data files, already have a job position focused on compliance. The cost to train them on GDPR will be £7,600.
These considerations and costs are aside from any investment that will need to be made under the revised Safe Harbour scheme, whatever new terms are finally agreed.
In terms of GDPR, the law is due to come into effect in 2018, and after then the ICO could come knocking at anytime, plus members of the public may be given the right to claim damages for misuse of their information. The cost of compliance to every marketing department will be different, but one thing is for sure, it will not be cheap and the task will have to be met, or consumer data will be rendered unusable.
The European Commission has said it hopes to reach a deal with the U.S. on a so-called ‘Safe Harbor 2.0′ agreement on data transfers by January 2016 — laying out a three-month timetable to hammer out a new deal on transatlantic data flows. The safe harbour agreement was struck down last month by the European High Court, which meant data transfers between EU countries and the US were rendered illegal under EU law.