With the General Data Protection Regulation (GDPR) set to be go in effect in May, enterprises across the globe are spending millions on software and security experts in order to meet compliance with the regulation. The regulation sets out to provide European citizens more control over their online information and applies to all companies that do business with Europeans. This will be the biggest shake-up of personal data privacy rules since the birth of the internet. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.
According to a PwC survey of American, British, and Japanese executives, among 300 big named companies in the process of becoming GDPR compliant, 40 percent said they have spent more than $10 million, while 88 percent said they spent more than $1 million. Program director of cyber security and privacy at IBM Resilient said, “People really aren’t picking up the phone for less than $1.5 million to $2 million,” in reference to legal and software consultancy firms advising worried enterprises on the impending GDPR.
However, even after May 25, when the GDPR kicks into play, the work towards maintaining GDPR compliant will still require a large amount of effort and will be a grueling manual process especially for companies on the smaller to mid-sized range of the spectrum . Companies will be required to provide regular data audits for EU authorities to prove they are compliant. And for companies that handle especially sensitive user information, will have to hire data protection officers.
While enterprises scramble to meet compliance by May 25, security and privacy experts are in high demand. Business for those in this industry is booming. However, ensuring both large and small firms meet compliance is no easy task. Privacy experts have to sift through every software application and database and record details as the exact type of data they contain – whether it is names and addresses, or more personal information like medical records – and who has access to it. Lingesh Palaniappan, CEO of Grit Software Systems, commented on the process his firm is taking to become GDPR compliant. “Currently, we are literally taking an Excel sheet, to the (clients’) teams, filling out the data and then consolidating the data into another Excel sheet,” said Palaniappan. The big worry is that, due to the manual nature of the work, errors that could make companies non-compliant could creep in.
However, it is still unclear just how strictly the GDPR will be enforced at the beginning. Some expect regulators to take a forgiving approach and allow companies some time to get their systems in order, while reserving harsh penalties for large firms that egregiously fail to comply. But experts at PwC say that firms need to beware in the rush to comply to the new rules. Many non-experienced people are claiming to be a GDPR experts as they see the strong demand and current rush. Paul Lanios, an attorney with a large publicly traded international bank in Europe, said that firms need to double check consultant’s resumes with credited lawyers to ensure that the consultant’s have experience dealing with European regulators before bringing them on board.
Despite the boom in security consultants and the rush to be compliant, there is little consensus on whether most companies will actually be ready by May. Among firms that have begun preparing for GDPR, 78 percent say they are confident they will be fully compliant by the deadline, according to a survey conducted by Microsoft late last year. And yet, research firm, Gartner, has a less optimistic forecast, predicting less than half of all companies affected by the GDPR will be in full compliance by the end of 2018, let alone the May 25 induction date.
Companies like Facebook are providing public information on how they intend to become compliant before the GDPR launch date. For the rest of the firms however, compliance may be up in the air.