For months, companies like Seattle-based mobile payments startup Remitly, have been mapping out their entire inventory of user data, updating privacy policies, and building tools to let customers access their personal information, delete it, and move it to other services — all with one date in mind: this Friday, May 25.
That is when European Union’s new General Data Protection Regulation, better known as GDPR, takes effect. For some companies, it’s a last-minute scramble, working long hours as the deadline looms. For others, like Remitly, it’s the culmination of months of hard work bolstered by the expertise that comes with already operating in a heavily-regulated space.
Remitly General Counsel Aaron Gregory described it as the regulatory version of Everest. He said businesses are in the final quarter mile of a 26-mile marathon, but not just any marathon. “It’s an Iron Man. As soon as we get across the finish line for the marathon, we hop on the bike.”
GDPR establishes some of the most rigorous data privacy rules in the world. They apply to any company with customers in the EU, which means many American tech companies are spending tons of cash and long hours making sure their products comply with the law. The rest of us are primarily seeing the results in the form of a barrage of emails with updated privacy policies and requests to opt-in to share data.
But behind the scenes, getting ready for GDPR has been an immense amount of work and money for these companies. IAPP and EY estimate that the Fortune Global 500 companies will spend about $7.8 billion on GDPR compliance.
Getting ready for GDPR certainly wasn’t an easy feat for Gregory and his team but it also wasn’t their first rodeo. Remitly is a mobile app that allows people working in countries like the U.S. to send money back to developing nations. Because it is a financial service, Remitly already has a team of experts used to working on tricky regulatory compliance. Gregory said that in lightly regulated fields, like software, GDPR must feel like a “brave new world.”
An April study by the Ponemon Institute supports that theory. Researchers asked more than 1,000 companies in nine industries whether they expected to be “satisfied” with their GDPR compliance by the May 25 deadline. Just 52 percent said yes. The financial services sector has the most confidence, with 63 percent of companies reporting that they would be ready. That number is 60 percent for technology and software companies. The sector most behind in the race is retail, with just 43 percent of companies reporting that they will meet the deadline.
Amy Bell, a project director for Seattle e-commerce marketplace Bonanza, estimates her team has logged months of collective work on GDPR compliance. “High-level. I would just say the biggest initial challenge was understanding what the basic requirements of GDPR are,” she said.
“The requirements are pretty dense and full of a lot of legalese so that was one of the biggest legal challenges, understanding what the requirements were,” Bell said.
Here are some of the key GDPR requirements that will apply to companies with users in Europe:
- Companies must build tools that allow users to review their stored personal information
- Companies must allow users to delete, correct, or move their data.
- Companies must notify authorities of data breaches within 72 hours.
- Companies must acquire affirmative consent or prove they have a “lawful basis” for collecting user data.
- Companies that fail to comply with GDPR can be fined up to 4 percent of their annual revenue or €20 million, whichever is greater.
That last item is the reason many companies are burning the midnight oil to get compliant by Friday’s deadline. To put it in perspective, a 4 percent fine on Microsoft’s 2017 revenue of $90 billion would amount to $3.6 billion. Amazon’s 2017 revenue was $177.9 billion. A fine of 4 percent would cost the company $7 billion.
Amazon, which operates the cloud computer juggernaut Amazon Web Services, announced it was GDPR ready in March.
Microsoft has dedicated more than 1,600 engineers to GDPR projects according to a blog post by Julie Brill, the company’s deputy general counsel. Microsoft is one of several companies that have said they will give customers across the globe access to the GDPR-compliant tools they are building for Europe. Microsoft customers can view, delete, and move their personal data here.
“For the most part, we aren’t making a huge distinction between what we’re doing for EU customers and what we’re doing for U.S. customers, primarily because a lot of the requirements are around transparency and helping people understand what data you’re collecting about them and how you’re using it,” said Bell, Bonanza’s GDPR lead. “We believe that being very transparent with our customers is valuable.”
There’s another reason some companies are expanding GDPR standards beyond Europe. It can be onerous to maintain dramatically different data use standards across big markets, like the EU and U.S.
Although GDPR takes effect Friday, many experts believe regulators will give companies a grace period before they begin enforcement. The reality of GDPR won’t take shape until regulators begin cracking down on violators because there’s very little precedent for this kind of law.
“The fact is that this complex regulatory framework is as new to privacy regulators as it is to us,” Brill said in the Microsoft blog post. “The ongoing interpretation of the detailed aspects of this regulation will determine the steps that we all will need to take to maintain compliance.”