As the British pub chain J.D. Wetherspoon prepared for Europe’s new stricter data privacy law, it was still smarting from a massive hack in which customer information was stolen. So it decided it was more prudent to erase an email marketing list of 700,000 people rather than risk holding so much personal data.
Such course corrections are occurring at many companies with business in Europe ahead of the new General Data Protection Regulation (GDPR), which takes effect on May 25. But even those doing their best to comply face a thicket of unknowns.
The law grants individuals expanded rights over how their personal information is collected and used, and companies that don’t respect those rights will be subject to potentially huge fines. But much remains uncertain about how it will be implemented by businesses and enforced by authorities.
As a result, it’ll take years for companies affected to truly understand the law’s impacts and costs, according to nearly a dozen executives, lawyers and consultants interviewed by The Innovator.
The law only sets out broad principles, such as the obligation to obtain consent and a requirement that companies define the legal basis for collecting someone’s data. Policy makers intentionally left much about implementation vague, leaving companies to make educated guesses about how to comply. National regulators and the courts will gradually weigh in on whether decisions about GDPR now being made in boardrooms around the world were on the mark or not.
The costs and burden on businesses also depend on other unknowns, such as whether European consumers will decide to exercise en masse their right to obtain a copy of their data from companies. Another question is how aggressively privacy advocates — such as the Austrian lawyer Max Schrems, who won a landmark lawsuit against Facebook — will use the courts as a weapon.
“The GDPR regulation is complex, much more so than existing law,” says Laurie-Anne Ancenys, a lawyer with Allen & Overy in Paris. “It will take years to figure out what it means to be compliant.”
A Marathon, Not A Sprint
So what should businesses do? Treat compliance as a marathon, not a sprint, GDPR experts advise. Regulators have discretion to decide which violations to pursue and at what pace. Companies will have to lobby regulators, and take part in debates about the details of implementation for their sectors and in the countries where they operate.
Businesses can’t just declare victory on May 25 and move on. It will take money and effort to stay on the right side of data protection law as it evolves.
Just how much money compliance will cost over time is also hard to gauge, says Richard Hogg, a GDPR expert at IBM Corp. He has seen large multinationals spend $5 million to $10 million to assess and revamp their data-handling systems, depending on their starting positions. Although many companies won’t be done by the May 25 deadline, those that started by fixing the dozen or so most critical systems should be fine if they can show regulators a roadmap to take care of the rest, Hogg says.
A Boon for Lawyers and Consultants
Given that much remains unknown about the application of Europe’s new data privacy law, businesses have to learn to live with uncertainty. That doesn’t mean they should take a “wait and see” approach, because the issues can cut to the core of their businesses.
One example is a fight brewing in the media sector: Google and online publishers disagree over who must get consent from an individual before a targeted advertisement sold via Google’s technology can be shown to them. Is it the media outlet where the person sees the ad, as Google argues? Or should it be Google since it targets, sells and places the ads? Ad-targeting occurs millions of times per day on the modern web; it underpins billions in revenue for Google. Yet no one is really sure how it should work in the brave new world of GDPR. Getting it wrong could expose Google or the publishers to liability and fines.
Now imagine similar debates over basic business processes taking place in sectors such as banking, retail, airlines, energy providers or health care. It’s a boon for the lawyers and consultants who help corporations deal with data protection, and it has also led to a talent war. France’s data protection regulator CNIL estimates that 80,000 companies will need to hire data protection officers as required by the law, compared with about 14,000 today. Schools are barely churning out a few dozen per year, says Bertrand Liard, a lawyer at White & Case in Paris. “Expertise is sorely lacking,” he added.
The stakes are high, because GDPR ratchets up the fines that regulators can inflict on companies who break the rules. Under Europe’s old approach, the maximum fine in Britain was £500,000 while in France it was €150,000. Under GDPR, companies can be fined up to 4% of their global revenue. That’s enough to make even deep-pocketed tech companies like Facebook and Google shudder.
Despite significant uncertainty and cost, complying with GDPR can have a positive side for corporations. The savviest of them have used the run-up as a catalyst to better organize the data they collect on employees and customers with the aim of then using it to drive higher sales or squeeze out costs. Others have used GDPR to justify information technology upgrades or new strategies that are better in the long run.
For example, the Dutch financial institution Rabobank worked with IBM to use cryptography to alter terabytes of customer data, such as names, birthdays and account numbers, so as to remove all personally identifiable elements. The pseudonymized data is used by the bank’s software development teams to test new services such as mobile apps or payment technology without fear of running afoul of Europe’s data rules.
“GDPR is a transformation opportunity for companies,” says Hogg. “You keep less information but better and cleaner data that allows you to get closer to customers.”
That companies are being forced to think harder about data collection means that GDPR is already having its desired effect. “Firms are taking this very seriously,” says Daniel Mikkelsen, a senior partner at McKinsey & Partners in London. “The big stick changes everything.”