Many of you will remember the madness that ensued as small business owners and large corporations from all over the world scrambled at the end of 2017 to comply with the EU’s deadline to comply with new Data Protection Regulations in May 2018 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data). Just over a year on, the EU and individual member states have researched the outcome of implementation of new protocols with mixed reviews.
The Spanish Data Protection Agency (AEPD) has issued an alert regarding the way in which those who are obliged by law to implement data policies due to their economic activity because some unscrupulous “service providers” are taking advantage of the situation by playing on people’s fears.
As with most new regulations, opportunities exist for companies especially consultancies to cash in and offer services to bring potential clients in line with said law. In this scenario, many consultancies began to offer services to adapt other companies to EU regulations and in an attempt to be competitive some advertise what is known as “Zero Cost Services”, where they provide a “comprehensive” service for an extremely low fee and in some cases for free. What type of consultancy would offer this type of service? Not a very good one if they actually comply with the list of requirements to properly ensure their clients fulfil EU regulations.
How can you detect whether the service provider you contact is fraudulent or not? Even though the below bullet points cannot be considered absolute proof, they will at least give you a guideline:
- A Lack of Information or Clear Advice: Simply filling in a form is not sufficient for a business to adapt to Data Protection Regulations so if the consultancy you have contracted just hands you a form that is already filled in and says that is enough, you are probably being misled. In order for the consultancy to prepare the necessary documents your business needs, they must first have an understanding of the type of business you run, the type of clients and suppliers you deal with etc., so they can design a file specifically geared for YOU and explain how to implement it in your business. Non-compliance of these regulations can put you in a precarious situation in the event of an inspection and can open you up to heavy penalties.
- Unnecessary Services, Aggressive Practices and Dirty Tactics: Fear mongering is the usual method used to force people to accept services even if some of them are completely unnecessary and costly. Many cases have shown that some consultancies charge extra fees under the guise of “professional training” that either never takes place or isn’t worth the time or money. Another tactic is informing the business owner they are obliged to name a Data Protection Officer when this is not always the case, but of course they can charge more for this service so why not?. A particularly shady practice is to display the AEPD logo on their publicity to make you think they have been directly sanctioned or approved by this Public Administration. According to article 8 of Law 3/1991, 10th April, this constitutes Unlawful Competition because it implies impersonating a Public Administration Office for personal gain and with the sole purpose of coercing others into making a snap decision based on the mere appearance of representing an official organization, by suggesting the potential client will be fined unless they sign up with them immediately or by charging a vastly inferior fee in comparison to market prices.
- Social Security Exemptions: When a business owner contracts training services for their employees, they receive benefits from Social Security so imagine what would happen if Social Security got wind of the fact this so-called service did not take place! This could lead to fines ranging from 626 euros to 187.515 euros in the event of an inspection.
- Tax Fraud: Yes, you read that right, TAX FRAUD. When consultancies and other companies provide training courses, the resulting bill is exempt of IGIC (VAT in the Canary Islands), whereas the service of adapting a business to Data Protection Regulations must be taxed at 6,5%. If a consultancy tries to conceal their excessive fees under the appearance of training when no such training takes place, they are committing fraud and you along with them which of course comes with its own set of consequences you are better off never experiencing so if you contract this service, make sure you actually receive it.
What can you do to avoid being duped? Well, inform yourself before contracting a particular company’s services so you are aware of the type of documents you should receive and of course, bear in mind the four points detailed above. If you come across a consultancy that shows any of those traits, it is best to walk away. Don’t confuse information with coercion because it is their job to advise you of how the law works, your obligations, consequences etc., but this should not be used as a tool to push you into accepting their services no questions asked.
This law is still relatively new, at least in practice so there is a learning curve for everybody, including EU law-makers as they fine tune regulations and service providers as they navigate some of the finer points or new additions to the law but that is not an excuse for taking advantage of the situation. As always a little bit of knowledge is key. If you have an existing business, you should already have data protection protocols in place, but if you don’t, feel free to contact me and I can point you in the right direction. If you are planning on setting up a business, don’t forget to include this cost in your business plan.