The General Data Protection Regulation will enter into force on May 25 and nobody is ready, neither the companies nor the regulators.
After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union in 2016. The regulation gave the companies a two-year track to comply, which theoretically is a lot time to achieve a good operation. Reality is more messy. Just like term documents and tax returns, there are people who do it early, and then there is the rest of us.
At today's meeting with the European Parliament, Mark Zuckerberg said that Facebook would comply with GDPR before the deadline, but if so, the company would be a minority. "Very few companies are going to meet 100% on May 25," says Jason Straight, attorney and privacy director for United Lex, a company that establishes GDPR compliance programs for businesses. "Companies, especially American ones, are definitely fighting here in the last month to prepare." In a survey of more than 1,000 companies conducted by the Ponemon Institute in April, half of the companies said they would not meet before the deadline. . When broken down by industry, 60 percent of technology companies said they were not ready.
GDPR is an ambitious set of rules ranging from requirements to notify regulators about data breaches (in 72 hours, no less) to transparency for users what data is collected and why. "For many years it has been," How much data can we fool people into giving us? "And" We're going to discover how to use it later! "That will no longer be an acceptable way to operate under GDPR. " says Straight.
"There are some companies that we've talked to, where they say:" Are you kidding? If we told them how we used their data, they would never give it to us in the first place, "says Straight. "I'm like, & # 39; Yes, that's the point & # 39 ;."
But perhaps the GDPR requirement that makes everyone get out of hair is the request for access to the subject of the data. EU residents have the right to request access to review personal information collected by companies. These users, called "data subjects" in the GDPR language, can request that their information be deleted, that it be corrected if it is incorrect and even that it be delivered to them in a portable manner. But that data can be in five different servers and in how many formats are known. (This assumes that the company even knows that the data exists in the first place). A large part of complying with GDPR is to establish internal infrastructures so that these requests can be answered.
Part of the problem is how companies are created, and part of that is that "personal information" is a desert category. Names, email address, phone numbers, location data: those are the obvious ones. But then there is more ambiguous data, such as "an oblique reference, like the tall, bald guy who lives on East 18th Street." If someone said that in an email, that would be the information they would need to provide access to under the GDPR, "says Straight.
For companies that have operated on the principle of" extract as much data as possible and solve it Hoarders especially one of those episodes where the hoarder does not finish cleaning and everyone falls crying at the end.
This is, Somehow, an inevitable result: A year ago, 61 percent of the companies had not even started the implementation of GDPR, Straight says that, in general, European companies, especially those in countries like Germany and the United Kingdom, where There are preexisting privacy laws that overlap with GDPR, they have adapted better. (Still, a survey in January of this year found that a quarter of London companies did not even know that what was GPDR)
To be fair, GDPR as a whole is a bit complicated. Alison Cool, professor of anthropology and information science at the University of Colorado, Boulder, writes in The New York Times that the law is "tremendously complex" and virtually incomprehensible to people trying to to comply with that. The scientists and data managers he spoke with "doubted that absolute compliance was even possible."
It's not a nice position to be, because GDPR can allow regulators to fine companies up to 4 percent of their global revenues for GDPR violations. To put that in perspective, a 4 percent fine on Amazon would be $ 7 billion. (Interestingly, since a company such as Amazon reports huge revenues and relatively small profits, a 4 percent fine could cost them more than two years of profit.)
GDPR's coup could have incited Peter Thiel to accuse Europe to enact a protectionist legal regime. "There are no successful technology companies in Europe and they are jealous of the United States, so they are punishing us," Thiel told a conference at the Economic Club of New York in March.
Because so much of GDPR is ambiguous, the way it will work in practice depends on what the regulators do. Eventually, rules will emerge: to whom the regulators will turn, what kind of sanctions will be imposed by what kind of behavior and what part of that 4 percent of the world's income will be drawn from the criminals.
The general assumption is that when the deadline arrives, European regulators will treat it as a smooth opening, which will provide companies with a honeymoon period, while everyone realizes how the law will work. But regulators can not fully control what will happen on May 25 because parts of the GDPR are user-driven.
If an EU resident files a topic request, a company has 30 days to respond. Suppose a company receives one of these requests, but they are still not fully compatible with GDPR and are literally unable to respond. If the company does not respond, the subject of the data can file a complaint with the local regulator.
The GDPR requires the regulator to do something to enforce the law. It may not be a 4 percent fine, but you can not simply send the complaints directly to the wastebasket. "If they receive 10,000 complaints in the first month, they will have problems," says Straight. Seventeen of the 24 European regulators surveyed by Reuters earlier this month said they were not ready for the new law to take effect because they still did not have the funds or legal powers to fulfill their obligations.  Another provision of GDPR that could force regulatory remedies is the requirement of notification of data breach. Companies must notify a relevant data protection authority within 72 hours after the discovery, but what the regulator does next is not entirely clear. Regulators may not be ready to audit the security of a company or find out exactly what to do to protect the EU residents affected by the violation. But still, they have to do something. They may have some flexibility on how to respond, but the GDPR will not allow them to do anything.
It is assumed that GDPR only applies to residents of the EU and the EU, but because many companies do business in Europe, the US technology industry is struggling to comply with GDPR. Even so, despite the fact that GDPR's great debut will surely be disorganized, the regulation marks a radical change in how data is handled throughout the world. Americans who do not belong to Europe can not make requests for access to data and can not demand that their data be deleted. But compliance with GDPR is going to have indirect effects for them anyway. The requirement of notification of non-compliance, especially, is stricter than anything in the US. UU The hope is that as companies and regulators move into the flow of things, GDPR's greatest privacy protections will become business as usual. Meanwhile, it's a crazy fight to keep up.