If you have an email account, you have likely come across the term ‘GDPR’, as most websites to which you have ever subscribed (even some that you’d completely forgotten about) have likely been spamming your inbox asking if they could continue retaining your data and sending you notifications after May 25, 2018. Seeing how much talk about the GDPR there is these days—and how today is the day when it comes into force—we decided to devote this week’s post to it in order to give you a brief overview of what it is and how it will affect you (that is, other than spamming your inbox).
What is the GDPR
GDPR stands for General Data Protection Regulation. It is a piece of legislation that the European Union passed in 2016 and that expands upon a precursor directive passed in 1995. Its goal is to give greater control to EU-based Internet users over the collection, processing, and use of their data by the websites, mailing lists, contacts, apps, and other service providers with whom they shared their information. The 99-article regulation will bring about sweeping changes for all Internet service providers that have EU-based individuals among their users, threatening hefty fines for noncompliance. It is designed to work in conjunction with the EU’s ePrivacy Directive, which regulates cookies.
As is to be expected, this type of legislation will affect many companies—most US tech giants also have users in Europe, and the requirements will suppose burdens of varying degrees for specific categories of stakeholders. In a nutshell, data processors like websites will now have to ask for (and receive) express consent from users in order to collect their data; will have to be transparent about the purposes for which the data will be used; will have to be able to justify why they need to collect the data; and will be limited in how and with whom they share it.
How it will affect companies
To make a long story short, it is difficult to know as of now because we are not sure how and when the regulation will be enforced. Theoretically, noncompliance can result in fines as high as €20m or 4% of a company’s global turnover. While the absolute amount of the fine could be gigantic in the case of companies like Facebook or Amazon (think tens of billions of dollars), its relative impact on smaller companies could be much greater.
The number of companies at risk of being fined is significant. According to an April 2018 survey of EU and US companies by McDermott Will & Emory and the Ponemon Institute, 48% of respondents said that they would not become GDPR compliant by May 25. Out of the companies surveyed, companies with less than 500 employees were the least likely to meet the deadline, with almost three in five such firms likely to miss it. The cost of compliance varies based on the size of the company—up to 75,000 employees, the bigger the company, the higher the cost of compliance relative to organizational headcount—but the average budget companies have allocated for compliance with GDPR is $13m per year in the first year.
But exactly who and when will enforce the GDPR remains to be seen. In a May 2018 survey of EU regulators conducted by Reuters, 17 of the 24 respondents tasked with monitoring and enforcing GDPR said they would not be able to do so by May 25 because they would not have the budget or authority by then. Therefore, it is expected that the EU will initially go easy on transgressors, while regulators and companies figure out the intricacies of GDPR enforcement and compliance.
According to the new law, companies have 30 days to respond to user requests for information about their data. If a noncompliant company is unable to respond, users can then submit a formal complaint to EU regulators. It is unclear how the latter would react to such complaints in the absence of a functional enforcement mechanism, particularly if they receive a large volume of them come June 25.
One of the thorniest requirements in the new regulation is deleting individuals’ data, correcting it, or even delivering it to users in portable formats upon request. Websites that have a large number of users and/or that have been operating for many years, in particular, will have a difficult time complying with this requirement, because their data is likely stored on numerous servers and in various formats. Therefore, setting up the infrastructure needed to comply with this stipulation will be labor-intensive and involve significant amounts of back-office work centralizing and organizing data.
Hannfried Leisterer, AtomLeap’s co-founder and legal expert, believes that “the GDPR is full of good intentions, but it was not intelligently designed. A lot of the requirements make little sense and are very bureaucratic.” Furthermore, the new regulation will “suppose a heavy burden for startups and will stifle innovation in the EU. I support data privacy, but privacy does not equate protection, which in turn does not equate security,” Hannfried believes.
How it will affect Internet users
The GDPR was designed with users in mind. The goal of the regulation is to put an end to the erratic data collection practices of yesteryear and to give users the upper hand in deciding what happens to their data. This is precisely why you’ve been receiving emails from the websites to which you’ve registered in the past asking for your consent.
But that being said, there may be hidden costs to gaining greater control over your data. For instance, since the regulation is likely to decrease the effectiveness of online advertising, websites could attempt to pass this revenue shortfall onto users by raising paywalls or attempting to show them more ads. At this point, however, it is difficult to predict all the ways in which Internet service providers will seek to make up for the impact of the GDPR on their bottom lines.
This is, in brief, why you’re hearing so much about the GDPR these days—and why you’ve been receiving so many emails about it. We hope you found this post informative. Feel free to share your opinions and stories about the GDPR in the comment section below. And, as always, if you’re looking for help to grow your startup, get in touch with the AtomLeap High-Tech Accelerator using the contact form on our home page.