I am convinced the government sees regulation as a great, free solution to each and every one of the world’s problems.
And, to be fair, from its perspective it probably is: simply create some rules or, better still, a regulatory authority to oversee some aspect of business, have businesses pay for it via levies and, hey presto, a great, free solution to the problem.
The government also has someone – the regulator – to pass the buck to if things go wrong. We all remember the great renaming of the FSA to the FCA.
It is not that I am against regulation. The market, completely unchecked and left to its own devices, is a dangerous thing. But regulation is not the free lunch the government thinks it is.
This is also not helped by every man and his dog (regulators, networks, compliance officers and so on) insisting on gold-plating the rules at each and every turn.
For the past few weeks, I seem to have done nothing but compliance tasks. The real work of advising clients has taken a back seat as I ensure we have all compliance documents up to date and in place. Otherwise, we would risk not being here to advise those clients tomorrow.
Specifically, the General Data Protection Regulation – which, of course, has laudable aims, particularly in light of the allegations against Cambridge Analytica and the use of Facebook data – has been a huge drain of our time and energy.
It is not enough to be GDPR compliant and agree not to misuse someone’s data or bombard them with junk e-mails. We also need to evidence that we are acting compliantly, in case it is needed in the future. Consequently, I have written or updated privacy notices, terms of business, data flow maps and a staff awareness presentation.
Finally, following all of the above, we have had to undertake a data protection impact assessment, for which, somewhat unhelpfully, even the Information Commissioner’s Office does not seem to provide a template.
On GDPR alone, all of this has taken a couple of weeks or so. Who will pay for this time? Certainly not the government. On a time-costed basis, this would run at around £15,000. Given that we aim to add value for our clients, the cost to the economy as a whole is even greater.
Will any of our clients benefit from these two weeks lost to GDPR policies? I doubt it, but it is of course necessary to not only comply but also show compliance. Otherwise, we would risk not being in business much longer.
I am concerned that the costs of being seen to comply are so increasingly onerous they are becoming dangerous. The analogy I have been using over the past couple of weeks is that of a farmer missing the window to plant his potatoes due to having to write a potato blight policy. Having the policy is all very well but it is not much use if there are no potatoes in the field to be harvested.
The government, regulators and compliance officers should think before imposing or gold-plating regulations. A simple cost/benefit analysis would not go amiss.
Scott Gallacher is director of Rowley Turton