On the case - March 2008
Governments make laws but it is generally companies which bear the costs of implementing them. The cost to your company of complying with relevant privacy legislation will depend to some degree on where you are reading this column and whether you trade nationally or internationally.
Aside from the cost of registration or notification to the data protection authorities – which is required in most European countries – there are organisational and communication costs to bear. So what is the final bill for implementation likely to be?
Wherever you are operating, the most significant costs are likely to be in securing and managing the personal data you hold. Loss of data (and the inevitable loss of customer trust which that leads to) has featured in this column before, but every month there is another incident of ‘mislaid’ data.
The seventh data protection principle makes it clear that companies must put in place suitable technical and organizational measures to protect data and it is, of course, a commercial imperative to look after the data asset.
So how come so many breaches (and many more which go unreported) are coming to light?
Unfortunately, the ease with which data can be downloaded and transferred is the main problem. Discs and unencrypted email attachments are still a regular feature of data transfer and it is relatively unusual to anonomise data. There are technical solutions to these problems but there should also be a human filter and all staff with access to data should be trained in the basics of data protection law (more cost, but it could be significantly cheaper than a lawsuit from an employee who is prosecuted for breaching the legislation and can claim they were not properly trained!).
Transferring data around the world
International companies which are transferring data around the world are likely to have increased compliance costs.
Few companies so far have gone to the expense of having their data transfer rules authorised by the authorities (it took GE two years of negotiation!) but even the use of standardised contractual clauses for transfers takes time and legal manpower.
Those US companies which have signed up for the Safe Harbor scheme face having to operate under European-style privacy rules and could (in theory, at least) be fined up to $12,000 a day if they are found to be in breach.
Privacy compliance clearly does not come cheap and data breaches can cost millions.
Other recent items: