The deadline for companies having operations in the European Union (EU) to comply with the General Data Protection Regulation (GDPR) standards is tomorrow, and yet many US firms remain completely unaware of this shadow monster. At Tuesday’s hearing in Brussels, Facebook (FB) CEO Mark Zuckerberg had promised the European Parliament that the social media giant would be GDPR compliant before this deadline. However, given the complexities involved in the system and the pandemonium surrounding it, it is unlikely that this promise would be kept.
Facebook is hardly to be blamed here. A recent research report by Capgemini shows that over 85% of the companies in the US and Europe, which come under the ambit of this regulation, will not be compliant-ready by the deadline. The report goes on to say that it expects at least 25% of the companies to fail the regulatory requirements even by the end of the year.
What is GDPR?
As you may already know, Europe is pretty serious about privacy and they want to make data exchange more transparent. The GDPR was adopted in 2016, after working on it for almost four years. All companies having operations in the EU member states were given two years to work on their systems to meet the GDPR requirements. And the two-year grace period ends tomorrow.
GDPR is pretty complex that even the regulators are unsure how it is going to work.
A fatal headache
Under the terms of GDPR, a company needs to report any data breaches to the regulators within 72 hours after it was found. Now that is only the easier part. The regulation also requires companies to remain transparent as to what data they are collecting and how they are planning to use it.
Under this new system, an EU user may demand access to the data that they have collected, and can also ask to update or delete certain information they wish to make private. The users may sue the companies if the information is not handed over to them in 30 days. This particularly puts large companies including banks in a tricky spot, since they already have a gigantic cache of information in various systems that pinpointing certain vague data can become quite cumbersome. This is in addition to the massive investments required to set up the whole GDPR compliance mechanism.
Under this new system, an EU user may demand access to the data that they have collected, and can also ask to update or delete certain information they wish to make private.
Some experts in the field even fear that total compliance is a utopian vision. And with that kind of skepticism prevailing, the fact that regulators can fine violating companies up to 4% of its global revenue sounds, at best, scary. For a company like Alphabet (GOOGL), this accounts for as much as $1.25 billion.
The regulators are expected to be tolerant in the initial months, and yet they will be forced to take action against the company if a complaint arises. The shocking part is, even the regulators are mostly clueless how the whole process is going to take off. According to a recent survey by Reuters, 17 of 24 regulators said they did not have the financial or legal assistance to carry out their job.
Europe is a major market for many US firms and they cannot ignore these regulations for long. Meanwhile, Apple (AAPL) yesterday announced that it would soon open a privacy portal, from where its users can download all the data collected by the company. The show starts tomorrow, and it’s going to be a survival drama.