A tornado of data regulations is about to hit companies and many are going to be badly battered in the storm.
The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will usher the biggest-ever shakeup in the way companies gather, store and use the data of customers and clients. Its impact is expected to be felt the world over, and companies in Asia and the US that trade with EU-based firms have already begun changing their terms and conditions to comply with the new rules.
While consumers are unlikely to notice any changes and bear no costs, the price of implementation for companies and the potential fines they face for non-compliance are expected to be high enough to put some weaker firms out of business. For those who survive, life may never be the same again.
“This is going to cause a fundamental shift, not just to European businesses, but to any business dealing with the data of an EU citizen,” said Michael Smolenski, CEO of Lightstreams, a peer-to-peer network for sharing digital content and information.
GDPR has been drawn up to protect customers’ data, requiring companies that have harvested it to ensure it’s secure and not being used for other purposes. It also requires the swift reporting of data breaches and empowers consumers to request their data be wiped from databases.
Companies that fail to comply after May 25 will face a fine of EUR20 million, or 4% of their global annual turnover, whichever is largest.
New Strategies Needed
While the past months have been busy for data managers, as they’ve put their companies’ strategies together, the coming years are going to be expensive. The International Association of Privacy Professionals (IAPP) and accountancy giant EY estimate that the mere cost implementation will be somewhere in the region of $7.8 billion for Fortune 500 companies. Most of that will go on the hiring of, on average, five data protection officers and another five compliance staff.
Sia Consultancy calculates that in the UK alone, the cost to financial services firms will be in the region of £15 million each.
For small firms, especially data-heavy companies such as insurance technology start-ups, publishers and payments processors, the impact is likely to be greater.
Small Businesses Unprepared
Surveys, including one published earlier this month by Instantprint, found that as much as two-thirds of smaller enterprises in the UK had taken no steps to comply with the imminent rule change by the start of May. It estimated businesses would need to spend more than £2,200 just to make their marketing literature compliant. And the Federation of Small Businesses (FSB) calculates firms will have to fork out more than £1,000 a year and devote seven more hours per month to compliance.
“Many small businesses will be concerned that the changes will be too much to handle,” FSB national chairman Mike Cherry told Computing magazine. “It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”
Data Treasure Troves
Implementation costs may pale, however, against the potential loss of earnings potential posed by GDPR. Major data brokers, including social media sites, earn their money by packing and selling data they’ve harvested from their billions of users.
They face losing huge troves of that treasure as GDPR hands consumers the right to refuse consent to their data being harvested and even to demand the deletion of data already on file.
A survey by South African software company Sage found that at least a third of all consumers would demand their data be withdrawn completely from online retailers. That figure is thought to have soared after Facebook was found to have sold users’ data to shady political analysis firm Cambridge Analytica.
Ironically, one of the biggest losers is expected to be Facebook. Goldman Sachs forecast that, as a worst case scenario, the social media behemoth would rather face a gargantuan fine than lose the business of millions of users by adhering to GDPR’s rules. By its estimation, that could mean Mark Zuckerberg’s business forsaking almost $8 billion.
“Where businesses once had ample leeway in sweeping their data processing practices under the rug through hidden privacy policies and underhanded consent measures, the GDPR is reshaping the way things are done,” said Karilyn Dearie, specialist and privacy consultant for Termly.