The burden of the Data Protection Act on small business?
The Institute of Charted Accountants of Jamaica recently invited me to present on leveraging data analytics to drive growth; a legal perspective, at their annual business seminar. One of the concerns that was raised was the negative impact the Data Protection Act(DPA) may have on SME’s. This is a common concern as the Data Protection Act , save for the exemptions set out in the Act, will apply to all entities that in any way process personal data of Jamaican citizens regardless of the size or the legal status of the entity, this by definition includes arms of the government. All entities that process personal data will be referred to as Data Controllers.
Personal data means any information whether by itself of together with other information can be used to identify an individual. In light of the wide application of the Act alarm bells have been raised about the burden this law will place on SMEs. It is the writers view that the government. and the larger companies will feel the brunt of this new legislation more than the SME’s. Further it behoves private sector companies to maximize the benefits of processing personal data using tools such data analytics to off set the mandatory costs that will be incurred.
Unquestionably there will be a financial burden that will be placed on all entities that process personal data. The law, once it is passed, will require all companies including government bodies and agencies to appoint a Data Protection Officer (DPO)that is suitably qualified and fundamentally change the way they process personal data. The act has not defined what suitably qualified is. It is clear however that who ever is appointed DPO there must not be a conflict of interest.
A conflict of interest will arise where the DPO outside of his role as the DPO is otherwise responsible either directly or indirectly. deciding how data is processed in the company. There may also be a conflict of interest if it is the DPO is other wise responsible for the custody or collection or actual processing of the personal data. THe impact of this is that the person one would think is best suited for the job the CIO or head of IT is precluded from becoming the DPO because of a potential conflict of interest.
In these circumstances the company may be compelled to hire a DPO full time or hire a DPO on contract as the act allows. Even if one chooses to upskill an existing employee one will incur costs of training that employee to ensure that he is suitably qualified as required by the law. In addition to taking on the paid position that will impact on the bottom line, Members of staff as is in the case with the requirement of the Proceeds of Crime Act, in order to be compliant will have to under go training on an on going basis. It is not the responsibility of the DPO to provide this training. Coupled with the above expenses additional monies will have to be spent in implementing the appropriate IT Governance Framework.
Not only are there additional expenses that will have to be undertaken. There will be significant exposure of the board to criminal liability that can result in a fine or jail time if it is they breach any of their customers privacy rights, fail to comply with the prescribed processing standards or mandatory requirements. In Europe the supervisory authorities responsible for monitoring the implementation of the GDPR , the European equivalent to our DPA, the policy in sanctioning companies has been that the sanctions should be dissuasive. I.e. they should make examples out of big entities by imposing large fines once there has been a breach.
Given the structural and financial burdens coupled with the exposure to criminal liabilities entities are faced with, it only makes sense that companies maximize the benefits that flow with processing personal data by generating additional revenues streams. Regardless of whether you benefit from processing personal data by generating or increasing revenues you still have to incur costs to make sure the data is being processed fairly and with due regards for the rights of the data subjects. Benefits that can flow from processing personal data could include:
- reducing operational costs by creating greater efficiencies
- create new revenue streams by discovering new customer needs
- improve customer experience by creating more a more customized service or marketing collateral.
- increase recurring revenue by creating a sticky service,
just to name a few.
One tool that can be used to maximize personal data is what is now a buzz word, AI, artificial intelligience. Whether AI has truly matured is yet to be seen but what is clear is that you now have locally companies such as Bluedot offering data analytics services that among other things use AI. Based on a presentation made at the same Institute of Chartered Accountants business seminar the CEO of Bluedot said that there is an average increase in revenues of 30% as a result of the application of their services to existing business.
Given the nature of corporate structures and culture, and more so corporate legacy information systems bigger companies will find it difficult to change the culture of all its employees towards personal data and if it is not championed by the executive it will fail. Larger companies will also find it difficult to streamline and rationalize the personal data they currently process given their legacy systems and lack of any prior personal data governance systems. If it is the companies and government agencies are going to move towards compliance it is going to be an expensive and somewhat challenging journey.
One only has to take cognizance of European companies who despite the culture and history in respecting the rights to privacy and having promulgated several directives and regulations that would have served as the building block for the GDPR they are still finding implementing the GDPR painful.
Smaller companies although they also have to appoint a DPO it should be less costly and painful to implement IT governance systems. Traditionally smaller businesses have less structure and fewer employees and as such. should be easier to create the culture of respect toward privacy rights, again once it is championed from the top. Where there are fewer structures, it should be easier to implement the required IT governance systems to become compliant with the DPA. In theory smaller companies are supposed to be more agile and better suited to take advantage of new business opportunities. On the flip size the bigger the company is usually the less agile it is, making it that much more difficult to take advantage of new opportunities presented by data analytics.
In the final analysis what is clear is that all companies will have to incuradditional costs in order to be on the road towards compliance. It is our view the larger the company the more painful this process will be. It is a fact that there is great commercial value in the processing of personal data. How a company leverages the processing of personal data outside of the purpose of being compliant is a strategic decision each company will take. In order to offset the inevitable costs of compliance it only makes sense that the prudent company leverage the commercial value of processing personal data.
Chukwuemeka Cameron is an Attorney and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Feedback can be sent to firstname.lastname@example.org