THE GLOBAL STRUGGLE WITH THE GDPR
The General Data Protection Regulation (GDPR), a new law to protect the data of individuals in the EU and EEA, took effect at the end of May. It will ensure greater transparency in how consumer data is handled and offer EU citizens some of the best privacy rights in the world. But for companies, compliance with the GDPR was and continues to be a great challenge. They also face the risk of significant fines for non-compliance – up to €20 million or 4% of their annual turnover.
Experts call the GDPR a hybrid between a directive and a regulation. It contains opening clauses that member states can use for their own regulations as well as broad specifications and terms. The guidelines of the national authorities are all subject to interpretation by the European Data Protection Board and to their voting procedures, which is providing for legal uncertainty.
Who is affected?
The GDPR applies to any organization that stores or uses data related to individuals in the European Union, regardless of the company’s size or where they are based. As described in Article 3 of the GDPR:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
In other words, global organizations with a physical presence in the EU will almost always be subject to the GDPR – no matter if they are a multimillion dollar firm or a self-employed handyman.
Organizations have to invest a significant amount of money in ensuring compliance with the new regulations. Experts say that the world’s biggest companies are spending tens of millions of dollars to prepare. Smaller companies without these resources are struggling.
Most companies are not ready
A survey by Capgemini showed that 85 percent of companies were not able to meet the deadline on May 25th and not ready for the GDPR. “Significant work remains to be done to increase not only compliance levels but also compliance maturity and to bridge the gap between the preparedness of organizations and the expectation of individuals”, says Capgemini’s report Seizing the GDPR Advantage: From mandate to high-value opportunity. On average, of the European companies included in the survey, not even 48 percent stated they would be largely or completely compliant in time.
Research also suggests that some companies are overlooking a possible business opportunity presented by the GDPR. “Executives now have a great chance to use GDPR to create a customer-first privacy strategy,” according to a statement made by Willem de Paepe, global GDPR leader at Capgemini. “Beyond gaining consumer confidence and increased spending, knowing exactly what data is held allows firms to use analytics more effectively and improve operations.”
Instead of creating a service that is compliant with the GDPR, many companies from outside Europe decided to block users from the European Union because of concerns about their compliance and the fear of the significant fines. A range of companies decided to go this route, such as start-up Payver, a U.S.-based mapping services provider to large media companies like Tronc, which owns the Chicago Tribune, the Los Angeles Times, among others.
Other companies may need to take even more serious steps. For example: Czech internet company Seznam.cz has said it will shut down its social network for students because of the regulation. It stated that the platform, which has 20,000 daily active users, would have to be changed completely in order to comply with the regulations.
Sorry European Payver users! Come May 24th we’re discontinuing Payver support in Europe due to #GDPR. Talk to your lawmakers…
— Payver (@getpayver) 5. April 2018
What to expect?
Many companies are still working to obtain user consent and there will likely be many changes ahead in the coming weeks and months.
“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning.
It’s an evolutionary process for organizations –no business, industry sector or technology stands still. Organizations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018,” says UK Information Commissioner Elizabeth Denham.
© EUROPEAN COMPANY LAWYERS ASSOCIATION
EUROPEAN COMPANY LAWYERS ASSOCIATION
Avenue Louise 326, 1050 Brussels
Phone +32 2-808 54 56