Three key facts have survived the past two months of political psychodrama.
-
- Despite approaching austerity, the government remains committed to removing or amending all EU regulations, such as the GDPR, by the end of 2023.
-
- The reappointments of Suella Braverman (Home Office) and Dominic Raab (Justice Department) increase the risk to the UK’s Adequacy Agreement, with both ministers’ desire to fundamentally change human rights law.
-
- Michelle Donelan returns to DCMS as Chief Data Protection Officer. She made a £23 billion claim in her speech to her Conservative followers.
The harbinger is further amendments to the Data Protection and Digital Information (DPDI) Bill. In his speech at the conference, Donnellan told delegations:
“Our new data protection plan [i.e. other than the plan in the DPDI Bill] We focus on growth and common sense to protect data privacy while preventing losses from cyberattacks and data breaches. This allows us to take the best parts of the world and form a truly bespoke UK data protection system, while reducing unnecessary regulations and business blockers.”.
Enthusiastic about her theme, Donnellan added: We inherited the GDPR from the EU and its bureaucratic nature still limits our business potential. Researchers at the University of Oxford estimated that: It directly causes companies to lose more than 8% of their profits.
Related to that 8% claim, for UK registered companies all profits are now subject to a 19% corporate tax. According to HMRC’s website, corporate tax has raised around £55 billion to the Treasury each year for the last four years (see references).
So if £55bn equals 19%, the total taxable profit subject to corporate income tax (i.e. 100% of the profit) would be around £290bn, “More than 8% of profits‘ is a loss of over £23 billion. Hence the heading.
So the Secretary of State wants us to believe that the £40bn to £50bn self-harm Thracian black hole in the UK economy could have been reduced by about half if UK_GDPR had not been implemented. I’m here.
It doesn’t take a genius to find 8% wrong, but Donnellan used it as if it were true.
Oxford study
This study is the first attempt to calculate the impact on a company’s profitability as a result of GDPR implementation. This is a very valid purpose. This purpose is completely different from the release of (fake) DCMS figures to justify the government’s implementation of the DPDI bill (around £1.5bn over 10 years). See references in my blog post).
In all fairness to the Oxford study, it states that “working paper; this study is not a completed, peer-reviewed academic paper. This alone is reason enough to say that it was very premature for the Secretary of State to quote the headline result of this paper (his loss of 8% of profits) without explaining the interim situation.
But there will be more selective citations from the Secretary of State about this study, hence the reason for this blog.
When this happens, the real problem is not the research (discussed below), but the University of Oxford (see references for the URL) where the research came from. Simply put, the university’s prestige runs the risk of being used to mask Donnellan’s data protections.
Research method
In summary, this research methodology examined 3 million balance sheets between 2011 and 2017, mostly from companies with 500 or more employees. These are collated by the OECD across 62 countries. This compares with his second group, which includes OECD balance sheets for the same companies from 2018 to 2020. GDPR was agreed in 2016 and became law in 2018.
Since the balance sheet contains information about sales, profits, and employment, the basic idea is that large differences in profitability from year to year (such as economic shocks to the system) It can be attributed to the implementation costs of GDPR. Other significant impacts/shocks such as COVID can be excluded (e.g. by extensive data cleaning processes), as the researchers argue.
Since the raw data includes sales, the study estimated that the implementation of GDPR also reduced sales by 2%.
But the key points are: This approach calculates the financial impact of GDPR directly from these balance sheets. Econometrics has no data protection inputs. Just the assumptions underpinning the econometrics.
Question: Three Assumptions
The study assumes that the main differences between the two balance sheet sets of OECD countries (i.e. 2011-2017 and 2018-2020) are due to the implementation of the GDPR. This assumption is unreliable.
As is well known, many OECD countries have data protection laws with standards close to GDPR standards. For example, compliance with principles (security, accuracy, transparency, etc.) and data subject rights (rectification, erasure, access, etc.) often form an important part of national legislation under the OECD Data Protection Guidelines. Yes (New Zealand, Australia, etc.). This has been the case since 1980, when the OECD Guidelines were first published.
Putting 100% of these costs (security, data subject rights, compliance audits, etc.) under the feet of the GDPR may therefore overemphasize the implementation of the GDPR if it also occurs under legislation based on the OECD guidelines. there is.
The second assumption is related to the APEC Privacy Framework. These APEC Privacy Regulations follow OECD guidelines and were published in 2015. Their implementation in the Asia-Pacific region coincides with the GDPR (published in 2016). This study did not mention APEC, so the study was able to measure the combined implementation costs of APEC and GDPR.
A third assumption is that OECD companies have not implemented the GDPR until it comes into force in 2018. This means that the GDPR obligations (or those under the previous Data Protection Directive 95/46/EC) need to be met much sooner.
Therefore, the size of the second cohort of balance sheets used in the study to identify differences appears to be too narrow. We also had to consider the cost of implementing APEC. If these two statements are correct, their combined result is to overemphasize the major costs of GDPR to businesses. So 8% overestimate the cost of GDPR alone.
Question: U.S. high-tech company
Researchers report that US tech companies have seen no change in profits or sales as a result of GDPR implementation.
A possible reason for this is that many of them (Google, Facebook, etc.) were founded in Eire and had to implement the GDPR. Indeed, because of the controversy Google Spain In a 2012 ruling, processing by Google in the United States was deemed by the CJEU to be processing covered by the Data Protection Directive 95/46/EC.
In other words, this zero result recorded in the survey could be the result that the cost of data protection compliance for US tech companies started in 2012 (in 2018, most surveys assume is not).
By the way,”smallThe companies defined in the survey have less than 500 employees (that is, twice as large as the European Commission’s definition of SMEs). I suspect Mr. Donnellan missed this point. In the speech quoted above, Donnellan mentioned small businesses that employ a small number of employees.
Q: Assumptions of GDPR
Similarly, there are insufficient comments to explain the 8% figure regarding the cost of implementing GDPR. For example, an OECD company that deals with data subjects in the EU should:Appoint a DPO to oversee data management activities” Also “Stored personal data must be encrypted and anonymized”.
This description is incomplete.Companies need a DPO only if the processing poses a high risk to the data subject (this may not be the case for all companies);Encryption and anonymization No Mandatory requirements; they must under consideration Where their use is technically sound and cost-effective.
The reporting of data breaches addressed in the survey is a general feature of international data protection law and not specific to GDPR.
Question: Agree
The study also attributed 2% of lost sales to GDPR.consent” procedures (e.g. with respect to data sharing and third-party marketing), it overlooks the data protection implications of this conclusion.
As is well known, “consentDirective 95/46/EC degraded significantly to such an extent that the practice adopted by Cambridge Analytica (and the UK referendum) emerged. This has created scandals that threaten to undermine and polarize the democratic process.
In the DPDI bill, Ms. Donnellan said, “Data Subject Consent” (for example, where an individual has control over marketing or survey options) with ”.Controller Legitimate Interests” (where the controller is responsible). She has yet to explain how these changes will protect individual privacy from pervasive internet surveillance practices.legitimate interest”.
Closing comment
In his speech at the Conservative Party convention, Donnellan concluded: I am an evidence-based politician and you will see in the coming months that I am not afraid to make tough decisions.”.
Relying on these preliminary findings, Donnellan’s evidence of data protection changes looks like something you’d see next to the red Brexit bus.
References
Donnellan’s speech: https://www.conservatives.com/news/2022/our-plan-for-digital-infrastructure–culture–media-and-sport
Research at Oxford University: https://www.oxfordmartin.ox.ac.uk/publications/privacy-regulation-and-firm-performance-estimating-the-gdpr-effect-globally/
Government Savings from the DPDI Bill: Reference DCMS can’t spend a dime to protect data subjectsects at https://amberhawk.typepad.com/amberhawk/2022/05/dcms-fails-to-spend-a-penny-to-protect-data-subjects.html
Google Spain CJEU Case C 131/12. Importantly, processing by Google USA became subject to the Data Protection Directive 95/46/EC in 2012. We can assume that the cost of implementing data protection will start from that date, rather than from 2018 as the Oxford study assumes. Hence the zero results reported by the study.
Corporate tax revenue has averaged around £55bn over the last four years. https://www.gov.uk/government/statistics/corporation-tax-statistics-2022/corporation-tax-statistics-commentary-2022
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – info@delta-data-compliance.com
