This post was contributed by Mac Macmillan, an attorney in Hogan Lovells’ London office
On November 22, 2012, the UK government published its Impact Assessment of the draft European data protection regulation. When the draft regulation was first published, the European Commission estimated that harmonizing the European data protection regime would bring a net administrative benefit of €2.3 billion to the EU. However, the UK Ministry of Justice has carried out its own analysis of the proposals and concluded that for the UK alone there would be an annual net cost of between £100 million and £360 million.
The UK government takes the position that the Commission failed to take into account all of the costs that would arise from the draft regulation, and it identifies the following aspects of the regulation that will impose additional costs on businesses:
- The requirement to employ a data protection officer;
- The requirement to carry out data protection impact assessments;
- The requirement to provide notification of all personal data breaches to the supervisory authority; and
- The administrative costs of demonstrating compliance
It also points out that supervisory authorities will require substantially more resources to carry out their widened responsibilities, and that the powers the Commission has proposed to give itself to make delegated acts could also affect the costs and benefits of the new proposal. The UK government stated that it will use the evidence set out in its Impact Assessment to “continue to push for a lasting data protection framework that is proportionate, and that minimizes the burdens on businesses and other organizations, while giving individuals real protection in how their personal data is processed.”