At the same time, industry observers are watching to see how regulators respond to a recent data breach in light of the new GDPR rule.
GDPR has a long reach. Even though the rule was passed in the European Union, it applies to any firm that does business with customers in Europe, regardless of the location of the firm. Among other requirements, GDPR says firms must explain to customers how algorithms make decisions and data protection authorities must be notified within 72 hours after breaches occur.
Firms must also obtain individuals’ permission before sharing their data and they must delete an individual’s data upon request. Businesses that aren’t GDPR-compliant and experience a data breach can face a fine of either $25 million or 4% of annual revenue, whichever is more.
Compliance with the regulation is no modest undertaking. For Fortune Global 500 companies, which are the biggest firms worldwide by revenue, compliance is estimated to cost $7.8 billion, according to Fortune Magazine.
A PwC survey of 200 U.S. companies with more than 500 employees, found that 68% of businesses expect to spend between $1 and $10 million to meet the regulation’s requirements. Some companies even say they expect to spend more than $10 million.
PwC estimates compliance costs for firms with more than 500 employees will total more than $150 billion. Fortune Magazine notes that costs, furthermore, will be ongoing. That includes the additional costs of deleting individuals’ data when customers ask firms to do so.
Observers’ perspective on the rule, not surprisingly, has been mixed. Privacy advocates say the regulation is sorely needed while business advocates argue that the additional costs associated with the rule will result in reduced services for consumers.
The Brookings Institute, which receives funding from Facebook, Amazon, and Google, argues that individuals have enjoyed increasingly improved internet services in exchange for having firms use personal data for marketing.
By restricting the use of data, businesses may end up either charging individuals for internet services or curtailing the services they provide. In most instances, individuals aren’t forced to share personal data. Instead, they share data because they want to.
Some reports, meanwhile, have been critical of how Facebook and Google have responded to the rule. The Irish Tech News contends that Facebook is applying GDPR standards only to data for individuals in Europe rather than extend the same protections to all of the users of its social media platform.
The decision by Facebook implies that the organization doesn’t care about users’ privacy, at least according to The Irish Tech News. The publication also maintains that Google has taken the unusual step of passing responsibility for compliance on to its publishers. Google is simply passing the buck rather than being accountable for data privacy, the publication asserts.
Other U.S. businesses have simply blocked European users from accessing their content, reports The Guardian. One example is media network A+E, which owns a variety of websites, including History.com.
According to The Irish Tech Times, other U.S. publishers that are blocking European users include the L.A. Times, The Chicago Tribune, and The New York Daily News. Those firms have chosen to avoid the costs of complying with the regulation, but they may also be intending to make a statement of opposition to the rule.
Industry observers are also watching to see how regulators respond to data breaches that occur after the rule went into effect of May 25. Just recently, PageUp, which is an employee recruiting and job posting website, experienced a data breach, reports ISBuzzNews.
In a column featured by the publication, Dr. Guy Bunker, SVP of Products at Clearswift, writes that it will be interesting to see if the company has adequate processes in place for data breaches and if those policies will satisfy the GDPR requirement.
