Listen to this article
This is an experimental feature. Give us your feedback. Thank you for your feedback.
What do you think?
The world’s biggest companies will spend tens of millions of dollars to meet new EU data protection laws by next May’s deadline, according to a survey that shows the costs of meeting some of the world’s toughest privacy rules.
Members of the Fortune 500 will spend a combined $7.8bn to avoid falling foul of Brussels’ General Data Protection Regulation (GDPR), according to estimates compiled by the International Association of Privacy Professionals (IAPP) and EY. This equates to an average spend of almost $16m each.
Among the biggest changes being ushered in by the GDPR is the right of individual citizens to request that their data be deleted from a company’s servers. It will also impose strict timelines on businesses to identify and report security breaches. Businesses face severe financial penalties for breaking the new rules: maximum fines will amount to €20m or 4 per cent of a company’s global annual turnover, whichever is largest.
Any business that processes the personal information of European citizens will have to comply with the GDPR.
The EU is already taking a tough stance on personal privacy. Tech giants such as Facebook are facing legal battles in European courts to ensure that they can legally transfer the personal information of their European users to and from the bloc.
Trevor Hughes, president of the IAPP, said companies had been rushing to hire lawyers and data protection consultants, invest in advanced data-processing software and clean up their sprawling databases.
“This is a rolling cost. May 2018 is by no means the end point as companies will have to invest in educating their employees in the new data framework,” said Mr Hughes.
On average, companies in the Fortune 500 will hire five full-time dedicated privacy employees — such as data protection officers — as well as another five employees to deal partially in handling the compliance rules, according to the survey.
“Data are emerging as the antitrust of the digital economy in the same way that state aid and competition was used to bust trusts in the 1990s,” said Mr Hughes. “This time, data protection has a direct consequence for consumers and citizens who use the digital economy.”
Financial services companies and the tech sector face the biggest compliance bills, according to the survey, which also estimates that medium-sized firms will spend an average of $550,000 to ensure they are compliant on May 28 2018.
Software companies are among the beneficiaries of the EU’s shake-up, which will change the way businesses have to handle, store and process personal data. Microsoft is among those helping companies who use their IT and cloud-based systems to ensure they comply with the GDPR. The company has at least 300 engineers dedicated to making Microsoft products compliant with the EU rules.
“We expect that the cost of our complying with the GDPR at scale, especially for our cloud services, will be much lower than the costs our customers would need to spend to manage all of their compliance individually,” said a spokesman for Microsoft. “We look at GDPR compliance from a business opportunity rather than a cost point of view.”
Analysts worry that smaller businesses are unaware of the looming changes. “I don’t know of any business which is ready or have said they will be ready by May,” said Lorraine Mouat, a consultant at TCC, which advises small UK financial firms on regulation.