Businesses and Data Protection: are European firms ready?
Emily Schimelpfenig // 1 August 2017
The French Council of State recently asked the European Court of Justice to settle a case determining whether search engines such as Google and Microsoft’s Bing must apply the “Right to be Forgotten” to global domains. This concept, which is part of the 2016 General Data Protection Regulation (GDPR), states that entities have a right to have links about themselves removed from online search requests. This is applicable to all EU domains, but the question asked to the Court is whether these rules should be applied globally to domains like google.com. The Google case is a good example of a company being forced to adjust to new regulation placed by the GDPR.
Half of EU companies say they will not be ready to comply with the new regulation once the GDPR enters into force on 26 May 2018. European firms will need to adjust to an expanded definition of personal data, new consumer rights and universal consent notifications. If not, they will be charged a fine of €20 million, or 4% of the company previous year’s global turnover, whichever is the higher.
The GDPR comes with the support of 90% of Europeans and is a key step towards the implementation of the digital single market. Despite this, EU companies have largely failed to change their existing platforms to meet the new GDPR criteria. A recent study shows that in the UK 70% of companies are not prepared for the GDPR and risk being fined as soon as the directive becomes enforced.
European companies are especially lagging behind in two areas: consent and the appointment of a Data Protection Officer. The GDPR requires a positive indication of agreement to one’s information being processed. This means no more implied consent, no notifications that disappear, or consent due to inactivity. The Data Protection Officer must be an expert on these rules and the implementation of them within the company. However, these professional figures are only required for businesses within the data industry.
The lack of preparedness creates a serious problem for the success of the digital single market, which needs businesses to participate in it to flourish. The positive outlook of this bill is that it creates a level of trust between companies and individuals through the regulation of individual privacy. It does also limit the ability to advance digital offerings. This dichotomy is a large part of the reason why businesses are struggling to adjust to the new standards which largely restrict their ability to gather data.
Thus, companies face a choice: to adjust to the new rules or face the consequences laid out by the GDPR. One option would be for them to leave the market. However, as the new regulation apply Union wide, these firms would be leaving a very lucrative market. With the 2018 deadline approaching fast, businesses will have to act swiftly to avoid any regulatory retaliation. In order to help all those companies that have fallen behind, European Institutions can either extend the May 2018 deadline or not fine businesses right off the bat. The likelihood of this option occurring is low, especially considering firms will have had two years to adjust by next May.
Another option would be for companies to pay their non-compliance fines until their systems meet the new regulation. Many smaller businesses, however, cannot afford these costs. For example, the new GDPR directive requires European financial institutions to report when their data is breached. In a recent article, the Financial Times reported that if these institutions’ data were breached 384 times over the first three years of the new regulation’s coming into force and were fined at the lower end of the GDPR scale at €260 million per breach, the penalties would total €4.7 billion.
Consequently, EU firms should immediately prepare for the implementation of the GDPR, including allocating funds to support the transition and planning how to accomplish the variety of tasks needed to meet the new requirements. According to international law firm Squire Patton Boggs, it takes at least 6 months for a company to meet the GDPR standards. This includes creating records of data processing activities, appointing a data protection officer (if required), identifying circumstances where personal data is shared, justifying the data that is processed, transferring data, reviewing all privacy notices, consents, automated processing/profiling and meeting individual rights. Businesses must also ensure that their security is compliant with the new standards.
This is a steep task to complete in the remaining 10 months, especially for businesses that need to catch up with these new rules or lack the right amount of internal resources to effectively implement the directive. They face a serious choice in the race for time. Pay the upfront costs now and possibly still face fees if they cannot meet the timeline or continue and pay more fees later on, alongside still having to eventually meet the criteria of the GDPR.
EPICENTER publications and contributions from our member think tanks are designed to promote the discussion of economic issues and the role of markets in solving economic and social problems. As with all EPICENTER publications, the views expressed here are those of the author and not EPICENTER or its member think tanks (which have no corporate view).