Implications ofthe European Commission’s proposal for a general data protection regulation for business

• A lack of understanding about the provisions in the EC’s proposed general data protection Regulation persists across business. Uncertainty is pervasive across the provisions of the proposed regulation, and affects more abstract and unsettled aspects, such as the obligations of data controllers under the so‐called right to be forgotten, as well as seemingly straightforward changes such as those regarding administrative fines and the appointment of Data ProtectionOfficers.
• „The majority of businesses are unable to quantify their current spending in relation to data protection responsibilities under existing law – and this persists in relation to estimates for expected future spending under the new proposals. This uncertainty indicates that existing evidence on the financial impact ofthe regulation is difficultto corroborate. Furtherresearch is required to clarify some important issues, such as the role of privacy and data protection in determining the level and intensity of consumer participation in onlinemarkets.
• „The lack of understanding that the research reveals strongly indicates that there is a key role for the ICO to play in educating and supporting businesses to increase their awareness and understanding of the forthcoming changes. The ICO’s priorities for supporting business in implementing the new Regulation should focus on providing guidance on the areas of the new provisions which are shown to be misunderstood – for example the ‘right to be forgotten’, but also the new rules on fines, the appointment of Data Protection Officers, Subject Access Requests and data portability.
• „While uncertainty affects all industries, the ICO should focus its liaison work on organisations involved in data‐intensive activities, who face economic risksfrom breaches of data protection rules – which map onto the risksfor data subjects; and organisations who are active in sectors where knowledge of the rules seems to be particularly low. The study finds evidence that the service sector in general, and specifically health, finance and insurance and public administration should be prioritised.

Objectives ofthe study

On 25 January 2012, the Directorate General for Justice at the European Commission announced its legislative proposal for the protection of individuals with regard to the processing and use of personal data.

The Information Commissioner’sOffice (ICO) appointed London Economicsto undertake a study to objectively evaluate the potential implications of the draft proposalsfor a new EU data protection legislative framework for business. Within this context, three areas are of special interest to the ICO:

To Download the full report use the download link button.