The new General Data Protection Regulation is forcing hundreds of thousands of companies, such as multinationals
and insurer Allianz SE, but also small manufacturers and even restaurants: to change the way they collect and manage information about Europeans, even if companies they do not have a physical footprint in Europe.
Many firms are not fully prepared, say privacy lawyers and consultants. Some have spent millions of dollars to prepare for Friday, the day regulators begin to enforce the law.
"I do not think that as a company we realized the full extent of what the law would require," said Paul Delson, compliance director for First Solar Inc., a solar panel manufacturer in Tempe, Arizona. The company has been quick to draft new policies on the use of employee and customer data and to map how it uses them. At first, he said: "I think there was something about," Well, that's a European law, and we're an American company. "
The GDPR creates or toughens many obligations for companies, such as minimizing information They collect. And it gives individuals new or expanded rights that include, in many circumstances, the right to see, correct or delete personal information about them.
Companies are responsible for demonstrating that they are following the rules and risk fines of up to 4% of their global revenues or € 20 million ($ 23.4 million), whichever is greater, if they do not comply. Regulators are unlikely to take a watchful eye on delays, because compliance with the law, approved in 2016, took two years to give companies time.
"There was no hidden agenda," said Andrea Jelinek, who is expected to be a new EU board of national data protection regulators as of Friday. "If and to what extent companies are lagging in the implementation of the law, we will see."
Business surveys show that between 60% and 85% of companies say they do not expect to fully comply on Friday. In March and April, only half of the companies said they even complied "in large part," according to a survey of 1,000 companies conducted by a consulting firm.
"These are substantial programs that consist of multiple projects that sometimes take years to complete," said Willem de Paepe, who heads Capgemini's GDPR compliance practice.
Companies that say they will make the deadline often have spent a lot to do so. Allianz, based in Munich, said it spent tens of millions of euros to prepare for GDPR, including mobilizing hundreds of privacy experts from 80 subsidiaries to make changes, including a repeat of online insurance requests to avoid requesting information. , as the applicant's profession. unnecessary for an insurance quote.
"It has been a gigantic task," said Philipp Raether, chief privacy officer of the company's group.
Bossa Studios, a London-based video game company with 90 employees, said it spent "dozens" of thousands of dollars "on consultants, who concluded that the company complied with GDPR and did not need to change anything, since it only retained simple data. "It's a very complex issue," said Chief Executive Henrique Olifiers. "Even the consultants are trying to solve it."
One of the most thorny demands of the law is for companies to list all the ways in which they gather and process personal information French hotel group
He hired an outside vendor for an undisclosed sum to build a map of all the ways he uses the data, and then keep that map updated in case the regulators come to an audit. "It's an endless process," said Thomas Elm, Accor data protection officer.
EE. UU The airlines, which collect large amounts of passenger data, declined to discuss their preparations publicly. An airline executive said that the focus has been on creating an inventory of personal data for millions of members of frequent flyer programs, as well as how the data can be shared with third parties, such as online travel agencies. He appointed himself as the main data protection officer, a new position ordered by the new rules.
"Companies are struggling with concrete deliverables – registration of processing activities, transfer agreements, notices, website – due to the large volume," said Henriette Tielemans, Brussels partner and protection expert of data from the law firm Covington & Burling. "But they are also struggling with more conceptual approaches, because that's not how we've done business so far."
Mastercard executives realized last year that the transaction data of the firm's credit card analyzed, for example, shows purchasing trends, may no longer be considered anonymous under GDPR. That would mean that the GDPR could reduce the way in which the data could be used in the future, because the law limits the use of personal information for purposes other than those for which it was collected.
So in March, Mastercard teamed up with
International business machines
to configure an external trust that will contain and anonymize the data, so that Mastercard does not have the ability to re-identify people from it. The trust, called Truata, aims to face other customers besides MasterCard, which allows them to keep anonymous data while analyzing it.
"Anonymized data provides another level of protection for individuals," said JoAnn Stonier, chief data officer at MasterCard. New York-based online advertising agent AppNexus Inc., which has approximately 30% of its business in Europe, has had to re-engage with European suppliers and customers, as well as with US companies doing business in Europe. ,
. to give an account of the new law, said the CEO
Brian O & # 39; Kelley.
"We are in what has been one of the biggest legal bottlenecks in global history," said O & # 39; Kelley. "My biggest concern is that this is not resolved in 10 days."
Even restaurants in the USA UU They are worried about complying with the law, because they gather and keep information about EU residents who make reservations when they travel, said Kinesh Patel, co-founder of SevenRooms, a reservation and information service for guests. The larger chains have been working on meeting for some time, but it has surprised some smaller restaurants, he said.
"Restaurants are not technology companies," Patel said, "but now they're being asked to manage it the way they are."
-Stu Woo, Nick Kostov and Doug Cameron contributed to this article.
Write to Sam Schechner at firstname.lastname@example.org and Natalia Drozdiak at email@example.com