EU’s General Data Regulation could be costly for businesses

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

This article is part of our special report Data protection.

Contrary to what the EU Commission asserts, if the proposed General Data Protection Regulation is adopted with Article 82 as it stands, it will result in significant extra costs for all European business, says Derek Mooney.

Derek Mooney is public affairs director of the Brussels European Employee Relations Group (BEERG).

"Advocates of the current draft of the General Data Protection Regulation have claimed that it will help business by simplifying the regulatory environment in which it operates by – to quote Commission Vice President Viviane Reding – “drastically cutting red tape” and creating a “one stop shop for businesses.”

This, they claim, would be achieved by replacing the existing “patchwork of 27 different rules in 27 countries” with one law that will apply to all member states and to all companies in the European Union. The Commission has even put a figure: €2.3 billion per year on the savings it claims this measure will deliver to business. 

But it won’t.

The reason why is simple. This GDPR will not benefit all companies operating in the EU because it contains a glaring defect. This defect is not an omission; rather it is a very definite inclusion. Article 82 of the GDPR excludes the area of employee data from the EU wide “one stop shop” by specifically providing that each member state shall also be empowered to regulate in this area.

All employers, large or small, must process employee data. For the bulk of companies operating in the EU their employee database is their biggest database. The maintenance and processing of employee data is essential to the effective management of any enterprise.

Yet if the GDPR is adopted with the Art 82 provision then business will have the “patchwork of 27 different rules in 27 countries” plus the additional obligations and burdens set out in the GDPR such as data protections officers; consent rules and 2% penalty on annual turnover without access to the costs savings the Commission claims.

So far from saving business €2.3 billion, this measure will cost business money EU wide – at a time when EU national governments are committing themselves to reducing employment costs.

BEERG research shows that at a conservative estimate the employee- data related data provisions alone could add  €3 billion each year in additional costs on business.

The reason is that when it comes to employee-related data the regulation is not, in fact, a regulation but a disguised directive.

By inserting Article 82 and allowing member states to adopt additional rules over and above those provided for in the regulation the Commission has fundamentally undermined the very raison d'être of a regulation: which is to have the same rules applying in every EU member state, without variation.

While some businesses, mainly those involved in internet-based businesses or internet-based trading, will benefit from the GDPR, they and other businesses will lose out because of the continuation of 27 different regimes for employee-related data.

This will not be a simple continuation of the status-quo, as some believe, it is the status-quo with all the new obligations that the regulation will impose.

The GDPR provides that every organisation with more than 250 employees appoint a data protection officer. How many organisations are there in Europe with more than 250 employees? How much will a data protection officer cost by way of salary, office facilities, administrative staff and an operational budget?

Because there will still be 27 employee-data regimes large multinational corporations will not be able to get by with just one DPO. How could a DPO in the Netherlands deal with a complaint from a Spanish employee if the laws in Spain are to be very different from the laws in the Netherlands? We have seen no figures from the European Commission that address this issue.

We have published how we reached the €3.3 billion figure, these calculations are available to anyone who wishes to scrutinise them. They are based on the assumption that, on average, large transnational companies undertake three employee-data projects per year (over and above day-to-day processing).

These assumptions are based on feedback from HR directors and based on the costs incurred in “live projects”. Such projects arise from the need to incorporate new acquisitions into existing data systems, upgrading out-of-date software or strengthening systems to withstand hacking or infections. We estimate the total extra cash cost to large multinationals for processing employment-related data in a continuing 27 system patchwork will be around €2.2 billion.

As this figure is our estimation for the additional cost to large transnational companies only, it a substantial underestimation of the costs for European business as a whole. It excludes the costs for the 40,000 or so other ‘large’ businesses in Europe. It also, significantly, does not include the costs to the public sector.

Given the other 40,000 or so large companies operating in Europe, and the many millions of smaller and medium-sized enterprises who would also be affected  we believe that our €2.2 billion figure could be multiplied by a factor of 0.5, at least, giving a total estimate of close on €3.3 billion – even before any penalties for breaches are considered.

Contrary to what the EU Commission asserts, if the proposed General Data Protection Regulation is adopted with Article 82 as it stands it will result in significant extra costs for all European business.

In today’s economic environment, are such cost increases justifiable?"

Subscribe to our newsletters