Marketers and data managers have worked out what the new Data Protection Regulations might cost them - and it does not look good. David Reed finds out how much it might cost to get compliant and the steps being taken to make data protection less painful.
Imagine you manufacture a product that requires lots of water in its creation. Twenty years ago, you built a factory near a reliable river and gained the necessary consent to extract all of the water needed. Business was good.
Now all that could change. A proposal is being made to divert the river and reduce the flow of water vital in your manufacturing process by as much as 80 per cent. It’s not just the river that might dry up - it is your revenue stream as well.
That is exactly the scenario facing every company which uses personal information to generate business value. Sounds exaggerated? Not if the proposals for a new Data Protection Regulation go through as published with their requirement for informed consent to everything from data processing to direct marketing.
A single financial services organisation forced to repermission its entire customer data set would stand to lose up to £6 million in revenue. That calculation was provided as a live example by a client to the Direct Marketing Association for its submission on the proposals to the Ministry of Justice. A global data company calculated lost revenues of £1 million from a move to explicit consent.
Combine similar impacts across the whole of the UK and then multiply by the 27 countries of the European Union and it soon becomes evident that the claimed €2.3 billion savings which the new rules are supposed to deliver will be dwarfed by lost business. As a benchmark for the potential scale, consider that the need for consent to cookies is predicted to cost UK businesses £10 billion, according to QuBit.
The DMA asked its members to respond to a questionnaire with indications of the impact they expected from the proposals. “We were looking for the likely cost if they had to support a data protection officer or had to repermission their customer data,” says Caroline Roberts, public affairs director at the DMA.
Worked examples of the annual overhead required to become compliant was essential because the MoJ needed facts and figures for its own response to the regulation. Roberts said it was also important to provide case studies: “Direct marketing is a huge industry, but it is amorphous. There are many large clients engaged in direct marketing as well as small suppliers, so it is hard to talk about the industry as a whole.”
This is important to keeping a sense of proportion about the proposals. Clearly changes are needed to the Data Protection Directive to keep it up to date, while there are elements which are to be welcomed. The impact of other proposals will be much higher on some aspects of the DM industry than others. For example, both the bureau cleaning service and the list broking company pessimistically expect a 50 per cent drop in their revenues from explicit consent. Charities, retailers and financial services might suffer, but nobody expects their businesses to be halved in scale.
Even so, the reality of becoming compliant could prove more expensive than at first sight. “A charity reported that if it had to gain explicit consent, it would mean spending ten seconds extra on the phone with supporters. Over a year, that adds up to two full-time equivalent agents extra. On top of that, there is the back office support which takes it up to three or four FTEs at an annual cost of £90,000,” says Roberts.
That additional overhead has to be found from incremental revenue. In the case of this particular charity, it would require an additional 1,800 members to fund those extra workers. As any marketer knows, to achieve that level of increase would probably mean contacting around 200,000 prospects. So the ongoing cost of the change in consent is added to by a front end cost of about £100,000.
Changes to systems could add costs for any data controller of between £100,000 and £500,000, depending on the volume of data held. Handling subject access requests (SARs) is another controversial area. “If the ability to ask for a copy of all the data an organisation holds on you gets more publicity, the volume of requests will go up. At the moment, they can charge £10 a time, which puts off frivolous enquiries,” she says.
In 2010, the Ministry of Justice estimated SARs handling as a £50 million overhead to business (which looks like a considerable underestimate). With the removal of fees and a clear determination in the proposals to encourage such requests - alongside the demands for data portability - it is evident that the burden of administration will rocket.
For small and medium-sized enterprises, the good news in the outline regulations was their exemption from some of these requirements. Companies employing under 250 staff were to be excused the need to employ a data protection officer, for example, one of the most costly demands being made.
This exemption is far from certain, however. The Article 29 Working Party, the most influential data protection body in Brussels, is not happy with the proposal. “The Working Party is of the opinion that data subjects should have the same level of protection, regardless of whether their data is processed by a SME or large-size enterprise,” it wrote in the opinion on the regulations adopted in March.
It did recognise the potential burden this would place on smaller businesses, however. “Therefore, whilst the Working Party in principle recognises the reasons for introducing these thresholds, it fears the exceptions introduced may both in practice and in relation to the protection of personal data, lead to inconsistent outcomes and undesirable results. The Working Party believes that a threshold that takes into account the nature and extent of data processing would be more suitable,” it wrote.
The Working Party has also expressed major concerns about how data protection authorities (DPAs) will be able to carry out their enforcement role if the funding model changes. In a letter to Viviane Reding, who drafted the proposals, it wrote: “There is a risk that DPAs will not be able to cope with the demands on them and will act as an impediment to rather than an enabler of the innovation and growth that you are seeking to promote.” It called for an independent in-depth assessment of the increased costs facing enforcement bodies like the Information Commissioner’s Office.
Joining data regulators and marketers in expressing fears about the costs and outcomes from the proposals, the CBI has given a view from UK industry that is equally worried. “The financial benefits of harmonisation have been over-estimated whilst the costs have been overlooked,” it wrote in its submission to the Ministry of Justice. It identified the same IT, staff and training costs as far exceeding any potential savings claimed by the European Commission.
By adding to costs and complexity, the CBI argues that innovation and investment will be deterred. Perhaps more significantly, it also says that the proposals will not deliver the greater consumer protection which is intended, especially the right to be forgotten and the right to data portability.
“These new rights are designed to help consumers but will have the opposite effect, and many businesses feel that the rights are, in practice, unworkable,” writes the CBI. “A ‘right to be forgotten’ is misleading for consumers as many forms of customer data...are required to be held for specific periods by law. These would not be subject to the right and requests from consumers to have data removed would be frustrated, leading to complaints and litigation.”
Even at a practical level, the Confederation finds flaws: “There is a risk that consumers will encounter many more unwanted boxes to tick and consent requests to complete when carrying out everyday activities...Given the scope for legal ambiguity in this framework, firms may simply judge it safer to gain customers’ explicit consent every time a processing operation is carried out.”
These are almost exactly the same concerns that have been expressed about cookies, with digital marketers seeing the consent demands as an obstacle to e-commerce. As a result, there is potentially large-scale civil disobedience being planned, which could make that law irrelevant. It is unlikely that Reding wants to see her own proposals suffer a similar fate.
What undermines the proposals most is that they have been framed with no clear understanding of how business operates and uses data. In developing new consumer rights, little consideration has been given to how these might be exercised and delivered. Data does not exist outside of systems and these have to be designed and operated by people in accordance with compliant processes. Regulators have little insight into how this happens.
Peter Galdies, director of DQM Group, notes that, “A lot of the regulation is very sound in principle and objective - but some is answering a question no-one has asked, like the right to data portability. The marketing issues of delivering concise, but detailed, explicit, yet accommodating policies and permissions are also likely to be creatively challenging and complex.”
Pressure to amend the proposals is growing across Europe as more sectors explain to their representative bodies just how problematic they would be. Opportunities to get changes still exist - three separate committees are reviewing the regulation and will report into the Council of Minister which will then put the draft before the European Parliament.
If you don’t want to face the additional overheads and problems identified, now is the time to join a trade association and talk to your MEP. Otherwise, you could end up facing a serious drought.