A Data Processors Worst Nightmare: The GDPR

By Cory Poplawski

The European Union’s latest data protection legislation put data processors on the hot seat. The General Data Protection Regulation, commonly referred to as the GDPR, took effect on May 25, 2018 and has ruffled the feathers of many tech giants. With the ramifications of the GDPR hitting not just in the EU, but worldwide, conversation about the regulation is on the global stage.

The GDPR’s enactment comes at a time when people are immersed in social media platforms and online shopping, offering personal data to anyone who asks for it with little thought. Once companies have your personal data, you have, in a sense, lost control of that data and how it is used. The GDPR looks to give individuals greater control over their data and offer better avenues for addressing when personal data is misused. The GDPR achieves this by giving individuals the “right of erasure,” meaning you can request the deletion of your data, requiring clear terms in “opt-in/opt-out” clauses, and offering the ability to file complaints with the Data Protection Agency. While this regulation seems great for the individual, what does it mean for data processors and the companies that do business with them?

It is important to start off by noting that, while the GDPR is an EU regulation, its requirements and penalties reach far beyond Europe. The GDPR requires any company with more than 250 employees that stores EU citizens data, regardless of if they have a business presence in the EU, to comply with the GDPR (smaller companies must also comply, but are not held to the same standards). This means that while a data processing company may be housed abroad, say in India or the Philippines, with no ties to the EU, other than the fact that they hold data of EU citizens, they must conform to the GDPR.

So, how demanding is the GDPR?

The basics of the GDPR requires companies to allow individuals to see what personal data they hold and the right to delete it, provide notice of data breaches within 72 hours, provide unambiguous privacy terms, and, in some instances, higher Chief Data Officers (CDO). While this may seem like a slight inconvenience, the costs of complying with the GDPR add up quickly, especially when a company is required to add salaries for new positions like the CDO. In fact, in a recent report, two-thirds of U.S. companies believe the GDPR will require them to rethink their global strategies. Even worse, over half of businesses fear they will receive fines for noncompliance with the GDPR. But how stiff are the fines imposed for non-compliance?  Fines for noncompliance may be up to 20 million euros, or up to 4% of global revenue, whichever is greater. These are the types of fines that can cripple businesses and stifle innovation.

While tech giants like Google and Facebook can handle the costs of compliance, or the penalties that come with noncompliance, smaller businesses may be less resilient. Small businesses often lack the liquid capital to hire new employees to deal with compliance, or to hire consulting agencies to ensure compliance. With more overhead costs and penalties looming due to the GDPR, it is possible that many small businesses will close. Even if the small businesses are able to stay afloat, they may not want to grow out of fear of paying even more in compliance. This may incentivize small businesses to stunt their own growth in order to avoid costs. With small business stunted, big tech companies would further entrench their spots on top of the tech and data markets.

So, while the GDPR seems great for the individual, will it kill business and growth? If a few tech giants control the industry, will innovation be stifled? These are a few of the questions that only time can answer.

____________________________________________________________

Matt Burgess, What is GDPR? The Summary Guide to GDPR Complaince in the UK, Wired (Oct. 4, 2018 available at https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018(last visited Nov. 12, 2018).

Alan McIntyre, GDPR: Balancing Privacy and Innovation to Create Opportunities in Banking, Forbes (Apr. 2, 2018)available at https://www.forbes.com/sites/alanmcintyre/2018/04/02/gdpr-balancing-privacy-and-innovation-to-create-opportunities-in-banking/#186ce3992bbb (last visited Nov. 12, 2018).

Andrew Rossow, The Birth of GDPR: What is it and What You Need to Know, Forbes(Mar. 25, 2018) available at https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/#3bcdc08c55e5 (last visited Nov. 12, 2018).

Jeff John Roberts, The GDPR is in Effect: Should U.S. Companies be Afraid?, Fortune (May 25, 2018) available at http://fortune.com/2018/05/24/the-gdpr-is-in-effect-should-u-s-companies-be-afraid/ (last visited Nov. 12, 2018).

Ovum Report- Data Privacy Laws: Cutting the Red Tape, IntraLinks(July 26, 2018) available at https://www.intralinks.com/resources/analyst-reports/ovum-report-data-privacy-laws-cutting-red-tape (last visited Nov. 12, 2018).