Impact considerations
3. Impact considerations
We have summarised the responses on the likely impact of understanding and applying the guidance. 5 We asked respondents to differentiate between:
- impacts attributable to the guidance: impacts that arise from the way the ICO has chosen to develop the guidance; and
- impacts not attributable to the guidance: impacts that arise from the new legislative requirements in the DUAA that controllers are expected to comply with.
3.1. Impacts of engaging with updated guidance
In both consultations, we asked respondents whether they thought the updates to the draft storage and access technologies guidance would result in additional costs or benefits. Responses were as follows:
- Eight respondents (20%) expected both additional costs and benefits.
- Eight respondents (20%) expected neither costs nor benefits.
- Six respondents (15%) expected only benefits.
- Three respondents (7%) expected only costs.
- The remaining respondents either did not answer (seven respondents, 17%), were unsure (seven respondents, 17%), or had already provided this information in the first consultation (two respondents, 4%).
These responses are illustrated in Table 12 below.
Table 12: Responses to the question: “Do you think the draft storage and access technologies guidance would result in additional costs or benefits to your organisation? (These could be financial or non-financial and might include staff time)”
| Response | Consultation Round 1 | Consultation Round 2 | Total | % |
|---|---|---|---|---|
| Both | 4 | 4 | 8 | 20% |
| Neither | 5 | 3 | 8 | 20% |
| Benefit(s) | 4 | 2 | 6 | 15% |
| Cost(s) | 2 | 1 | 3 | 7% |
| Not answered | 3 | 4 | 7 | 17% |
| Unsure / Don't know | 5 | 2 | 7 | 17% |
| Information already provided | - | 2 | 2 | 4% |
| Total | 23 | 18 | 41 | 100% |
Source: ICO analysis, 41 responses (23 from Smart Survey and 18 from Citizen Space)
ICO response
We recognise that engaging with our guidance on storage and access technologies may result in some impacts and we aim to support those impacted to navigate this process and ensure that any impacts are proportionate.
3.1.1. Costs to be considered
Respondents who anticipated that the updated guidance would result in additional costs identified several areas, including:
- familiarisation costs;
- compliance costs;
- engineering and legal costs to design or update systems;
- reduced productivity while the guidance remained in draft format, due to potential for lack of clarity; and
- increased consumer friction.
Respondents who identified costs highlighted time spent on familiarisation as a key factor. 6 One respondent noted that some organisations within the supply chain may also incur familiarisation and implementation costs. Some suggested that the current estimated costs are too low, reflecting the complexity of the topic and the likelihood that organisations may need to revisit the guidance numerous times.
Respondents also highlighted additional cost implications, including costs associated with:
- reviewing and updating internal guidance to reflect the updated guidance;
- training staff across relevant teams (eg digital, data, engagement, marketing, operational and compliance teams) to ensure consistent application of the updated guidance;
- legal and governance review of the updated guidance, in particular of the new exceptions brought in by the DUAA;
- technical reconfiguration of consent management platforms and tagging; and
- developing documentation and audit trails to demonstrate lawful reliance on exceptions.
Several respondents also noted that changes in the compliance landscape, combined with the need to implement the updated guidance, may lead to a period of reduced productivity as organisations adjust to the new requirements.
ICO response
We recognise that organisations will need time to familiarise themselves with the guidance and that this may involve some cost. We acknowledge that organisations may need to revisit the guidance numerous times and have updated our assumptions in the updated Impact Assessment to reflect this feedback. However, without this guidance, we believe that organisations would have to spend considerably longer understanding the updated requirements. Overall, we therefore believe that this guidance will reduce costs for organisations.
We note the potential impacts identified by respondents and believe the changes outlined in this consultation response address these in a proportionate way. In line with our ex-post impact framework, we will consider how best to monitor these costs over time.
3.1.2. Benefits to be considered
Respondents who reported that the updated guidance would result in benefits identified the following potential positive impacts:
- improved understanding of the relevant legislation;
- reduced costs associated with third party providers;
- more transparent information for customers; and
- strengthened trust and organisational reputation.
Respondents stated that engaging with the guidance would lead to increased clarity both in the advice they provide to customers and in their internal processes. They also indicated that this increased clarity would inform future product development aimed at better serving customers and data subjects. Several respondents noted that although moving towards a first-party data system may initially incur costs, they expect the long-term benefits to outweigh these costs.
Respondents also highlighted some additional indirect benefits, including improved alignment between data protection requirements and the new regulatory duties introduced by the DUAA. They further noted that clearer and appropriately scoped guidance could support more proportionate, simplified and privacy-conscious use of data. This, in turn, could lead to more consistent customer experiences across digital channels and improved accessibility and usability for vulnerable users.
ICO response
We are pleased to note that respondents recognise the benefits of the guidance and have acknowledged the additional impacts identified within our updated Impact Assessment. We believe that the changes to guidance outlined in this consultation response address the need for increased clarity in a proportionate way. In line with our ex-post impact framework, we will consider how best to monitor these benefits over time.
5 A more detailed overview of impact responses is provided within our Guidance on the use of storage and access technologies impact assessment.
6 The draft IA estimated familiarisation costs at £124.28 per organisation.