On May 25 this year, the adoption of Europe’s new General Data Protection Regulation (GDPR) is set to become a watershed moment in privacy history: EU citizens gain new rights to view, limit and delete data that businesses from around the world collect about them.
“Most people would agree that GDPR is the most robust and far-reaching data-protection law,” says Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP).
The game-changing regulation gives individuals the right to access and view what information was gathered about them—such as name, address, age, income and wealth—transfer this data to another company or ask that data be forgotten. It also imposes a 72-hour deadline to identify and report security breaches and demands high fines for noncompliance: in some cases as much as either €20 million ($24.4 million) or 4% of the previous financial year’s worldwide revenue, whichever is largest.
The GDPR is considered one of the world’s most expensive and far-reaching regulations of the tech industry. Corporations big and small are reportedly scrambling to meet the May deadline, with several surveys saying that around half of those companies affected will not make it. A recent study by IAPP in collaboration with EY says Fortune 500 companies are expected to spend nearly $8 billion to comply. The success of the law will depend mostly on how consumers, who are not yet completely aware of these changes, will decide to exercise their newly acquired rights.
Pegasystems, a software company that offers GDPR compliance solutions, has a survey showing that 79% of EU consumers do not even know about GDPR. However, once they have been informed, “82% of consumers say they plan to take advantage of their new rights,” explains Jeff Nicholson, vice president of product-marketing CRM, Pegasystems. “It almost appears to be a sleeping giant in that respect. The demand will most likely be considerable.”
Nicholson says that in addition to data, some of technology’s opaque mechanisms are an issue, because consumers will have the right to a full explanation of how a particular decision was reached. “In industries such as financial services, insurance and healthcare, if you are turned down—if you are not approved for something that has been advertised, for example—you will have the right to ask why. Each individual will be able to ask why he or she was not approved,” Nicholson says. “Many businesses may find that they are not prepared for that, because they are applying techniques such as deep learning or cognitive approaches that are opaque. So they are not complying.” Pegasystems offers a software solution called T-Switch that lets organizations control the transparency of their artificial-intelligence models.
Experts agree that the new European regulation is impacting corporate behavior worldwide: Half of US companies consulted for the IAPP-EY survey, for example, say that GDPR is dictating their privacy programs. “The United States has been very transactional about privacy,” says IAPP’s Pfeifle. “You have to show the harm that has been done, whether it has been financial or emotional; whereas in the EU, the harm is self-evident.” In China, the approach to privacy is even looser than in the United States. Experts say that often the government accesses data collected by popular companies, such as online retail service Alibaba.
Large companies have already spent billions to get ready for the GDPR; the high costs of compliance can represent a barrier for small competitors, says Eric Goldman, co-director of the High-Tech Law Institute at Santa Clara University. “My concern is that the cost of compliance for the GDPR is very
substantial and that raises the barrier to entry for new start-ups,” says Goldman, who previously practiced law in Silicon Valley. “It can hurt the competitive environment and make the incumbent further entrenched.”
The difficulties are such that some even doubt that implementation will proceed as planned. “I think that the impact is going to be bigger than what people thought. I think that they will discover how big it is as they work to comply,” says Geoffrey Parker, professor of engineering at Dartmouth’s Thayer School of Engineering and a research fellow at MIT’s Initiative for the Digital Economy. He raises the possibility of a delay. “They are going to ask for extensions.”