With just over a year to go now until businesses must be fully compliant with the EU General Data Protection Regulation, it is fair to say most firms are finally starting to sit up and take notice - despite worrying claims that over a quarter of retailers have abondoned GDPR preparations, believing that the laws will no longer apply to them as a result of Brexit.
Talk to anyone who works in an agency or for a data company and you will discover that, for most of their clients, GDPR is now almost an obsession. Figures released this week by NCC Group will also no doubt help focus minds. They show that last year’s fines dished out by the Information Commissioner’s Office would be 79 times higher - soaring from £880,500 to £69 million - under the new regime.
These concerns are not limited to the UK, either. According to a study by Veritas Technologies, nearly half of all firms across Europe, the US and Asia Pacific have admitted to major doubts that they will meet the 25th May 2018 D-Day. Even more worrying, over 20% of these companies said they fear that non-compliance could put them out of business, with a further 21% predicting job cuts.
At first sight, then, the Government's recent call for UK businesses to help shape the new laws by providing their own views on a range of exemptions - so-called "derogations" - could well help to ease the burden. After all, measures to tackle compliance do not come cheap. Veritas revealed that firms are forecasting spending in excess of $1.4 million (£1.1 million) on GDPR readiness initiatives and anything that could bring that cost down would undoutedly be welcomed.
The consultation, being handled by the Department for Culture, Media & Sport (DCMS) and open until 11th May, covers many key areas of GDPR, including sanctions, compliance, data protection officers, third-country transfers and sensitive personal data and exceptions. The UK's digital minister, Matt Hancock, had promised to gather the views of businesses and trade bodies over GDPR earlier this year.
At the time, he said: “We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities…in the regulation to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful.”
However, in an unusual move - and one which has taken many in the marketing industry by surprise - the Government has not revealed its own thinking on the issues identified in the consultation paper, but has instead invited views to be submitted up until next week. The timing has drawn criticism from some in the industry, who argue that, with Parliament now in "Purdah" due to next month's General Election and guidance from the Information Commissioner's Office on many elements of GDPR still being formed, the consultation has come too soon.
One industry source said: "How can we give our views if we don't know what the final GDPR guidance will look like?" And with even DCMS admitting that "there is limited scope for flexibility”, just what can companies expect?
Most commentators caution against radical amendments, arguing that the UK must show it is fully committed to GDPR. Dr Sachiko Scheuing, European privacy officer at Acxiom and co-chair of Fedma, said: "It is imperative that economic growth is thoroughly considered by the UK governing bodies and decision-makers when defining these amendments, especially post-Brexit, as our ability to easily share and analyse data in a safe and transparent way is key to continued growth and indeed a good customer experience in this digital economy.”
"The ICO is committed to maintaining the UK's privacy standard at the same level of GDPR, helping to align the policy's many interpretations to best suit Britain's needs, but this will need support from wider influencers in order to ensure the best results.” She also believes it will be an ongoing process. "The complete transition of these policies, both into the GDPR as part of the EU and post-Brexit, will require continued consultation with key industries and constant development by businesses across the board."
Direct marketing industry trade body the DMA is also keen to stress that firms should not get their hopes up too much, pointing out that many of the potential derogations do not apply to marketers.
It is currently gathering views from members, even though DMA external affairs manager Zach Thornton concedes that, "the consultation document says absolutely nothing".
Thornton explains that the industry body's main focus is on a tripartite initiative between the DMA, the Advertising Association and online advertising body IAB UK to ensure that the age of consent for children who wish to access online information services is not increased from 13 to 16, a move which was actually flagged up by Digital Minister Hancock last December. While raising this digital age of consent to 16 - bringing it in line with the US - would strengthen the protections youngsters receive, there are doubts about whether it would be enforceable.
It would force younger teenagers to gain parental permission to access social networking sites, such as Facebook, Snapchat, WhatsApp or Instagram. However, there are already Facebook and Instagram users below the age of 16, so that would entail potentially closing those accounts - a move the IAB UK is keen to resist.
The main reason, unsurprisingly, is the potential affect this would have on advertising revenues. Dylan Collins, CEO of teen-focused marketing platform SuperAwesome, estimates the global teen advertising market is worth over $30 billion (£23 billion) a year. "Many major tech and media companies, including YouTube Kids and Amazon, have already started to target 13-year-olds, so [any change] would be hugely disruptive."
Another possible exemption covers the appointment of data protection officers (DPOs). Many organisations will be obliged to appoint DPOs under the GDPR, including most public bodies. Research conducted by GO DPO estimated that around 7,000 large UK firms (those employing over 250 employees) will need to recruit and train at least one DPO each during the next 12 months, although many banks and insurance companies will need to employ more than one senior manager to fulfil the requirements of a DPO, whose role can involve handling millions of customer and client accounts.
The Regulation provides EU member states with the option of outlining further cases where organisations must appoint a DPO, but once again Dr Scheuing urges caution. She explains: "Data protection officers will be of growing importance, as organisations both in the UK and across Europe continue to strive for compliance and best practice data management.”
She added: ”As businesses redefine processes in order to comply with both the GDPR's amends to data practice and wider legislation changes, the roles of DPOs and privacy officers will increasingly shape the evolution of organisations across the UK and how they plan and prepare for the future."
The issue of third-country data transfers is another area of potential change, as once the UK leaves the EU, it will be classed as a "third country”. The transfer of personal data outside of the EU has become a political issue in recent times. The Safe Harbour agreement was effectively invalidated by the EU courts, but its replacement, the EU-US Privacy Shield, has been the subject of heavy scrutiny and legal challenges.
It is facing its first annual review in July, during which the highly-influential EU Article 29 Working Party - made up of the data protection authorities from all EU member states - plans to “not only assess if the remaining issues have been solved, but also if the safeguards provided under the EU-US Privacy Shield are workable and effective”.
The Regulation provides for data transfers to countries where the European Commission has deemed that there is adequate data protection equivalent to that available in the EU. The DMA's Thornton believes the UK must ensure this "adequate protection" is in place by following GDPR principles. There is, however, growing concern over the political posturing between Downing Street and Brussels.
One UK trade body executive, who did not want to be named, said: "The UK Government must tread carefully. Like it or not, GDPR compliance will be crucial to the future of UK businesses.” He quotes a study from the Centre for Economic & Business Research, which claims exports to EU countries help to support 4.2 million UK jobs and are worth £211 billion to the economy and maintains it is essential that British firms continue to make themselves heard.
Dr Scheuing agrees: "Despite the subtle and multiple interpretations of the legislation, the implementation of the GDPR will guarantee the same level of data protection across all EU nations, as well as those trading data with them. This will help to create an excellent economic tie to sustain growth in the future.”
She added: ”The UK has a long-established 'open dialogue culture' between the industries and the stakeholders, ensuring that British opinions are still having a major impact in shaping GDPR. This presents British lawmakers and the ICO with the opportunity to engage UK business leaders, to help fill in the undefined gaps and areas of interpretation to the benefit of the UK business, as well as complying with global regulations."