PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - March 2008

Governments make laws but it is generally companies which bear the costs of implementing them. The cost to your company of complying with relevant privacy legislation will depend to some degree on where you are reading this column and whether you trade nationally or internationally.



Aside from the cost of registration or notification to the data protection authorities – which is required in most European countries – there are organisational and communication costs to bear. So what is the final bill for implementation likely to be?


Wherever you are operating, the most significant costs are likely to be in securing and managing the personal data you hold. Loss of data (and the inevitable loss of customer trust which that leads to) has featured in this column before, but every month there is another incident of ‘mislaid’ data.


The seventh data protection principle makes it clear that companies must put in place suitable technical and organizational measures to protect data and it is, of course, a commercial imperative to look after the data asset.


So how come so many breaches (and many more which go unreported) are coming to light?


Unfortunately, the ease with which data can be downloaded and transferred is the main problem. Discs and unencrypted email attachments are still a regular feature of data transfer and it is relatively unusual to anonomise data. There are technical solutions to these problems but there should also be a human filter and all staff with access to data should be trained in the basics of data protection law (more cost, but it could be significantly cheaper than a lawsuit from an employee who is prosecuted for breaching the legislation and can claim they were not properly trained!).


Transferring data around the world

International companies which are transferring data around the world are likely to have increased compliance costs.


Few companies so far have gone to the expense of having their data transfer rules authorised by the authorities (it took GE two years of negotiation!) but even the use of standardised contractual clauses for transfers takes time and legal manpower.


Those US companies which have signed up for the Safe Harbor scheme face having to operate under European-style privacy rules and could (in theory, at least) be fined up to $12,000 a day if they are found to be in breach.


Privacy compliance clearly does not come cheap and data breaches can cost millions.


The UK tax department, HMRC, is reported to have spent £2.25 million putting right its own ‘datagate’, but that is just a fraction of the cost to international businesses of complying with the law.

Other recent items: