GDPR Preparedness lags for new EU data privacy laws

Tough new European data protection rules will have a major effect on companies in countries around the world. So why are only Germany and Austria ready?
... and we'll tell everyone.

How much is your personal data worth? According to a Financial Times study, it’s unlikely basic details such as your age, gender and location are worth more than $0.0005 — maybe a dollar if it includes your every digital move, from web searches to medical records.

But bundle your data with thousands of other people's, and you can see why personal data is like digital gold. Facebook and Google's entire business models are based on their abilities to know as much about users as possible in order to sell your attention to advertisers. The problem is, very few companies gave a second thought about personal data privacy. Until now.

With the US still favoring business over the consumer when it comes to privacy, it falls to the European Union to take the lead in protecting personal data. In May, the General Data Protection Regulation (GDPR) comes into effect to protect the citizens of its 28 member states, requiring firms to give customers more control over their information online.

Among other strict rules, firms will be forced to obtain signed consent forms from customers to use their data, allow them to access and delete data companies hold on them and notify authorities of data breaches within 72 hours. And the General Data Protection Regulation won’t stop at the EU’s borders: It will apply to any global entity holding records of even one EU citizen, no matter where the company is based. No one is exempt.

GDRP is coming into force on May 25 after a two-year implementation period, but businesses across the EU are unprepared for the new rules, and 26 member countries have not yet enshrined them in national law. Only Germany and Austria are up to speed.

“Very many companies won’t be able to implement all the requirements by the start date,” said Achim Berg, head of German IT industry group Bitkom. “Those that have neglected data protection for too long will be especially hard hit.” Mr. Berg added there were a lot of legal uncertainties over how individual rules should be implemented. “That even affects companies that are already in line with the regulation.”

It’s clear that those who aren’t adhering to the law on May 25 will have to expect consequences. Jan Philipp Albrecht, Green member of European Parliament

GDPR requires firms processing large amounts of data to have dedicated GDPR compliance staff, while smaller companies will have to take their own steps to secure customer data. Companies will face fines of up to €20 million ($24.7 million) or up to 4 percent of their global annual revenues if they violate the laws. But authorities may choose to refrain from imposing fines initially.

Axel Voss, a German member of the European Parliament for the center-right European People’s Party, proposed rule-breakers be spared fines for the first six months after GDPR comes into force. He said it was “very unsatisfactory” that so many EU members had not yet integrated the law.

Vera Jourova, EU commissioner for Justice, Consumers and Gender Equality, recently urged all governments, regulators and companies to get a move on because the current patchwork of national regulations would undermine the new regime. She said she understood that the necessary adjustments in business operations weren’t easy and needed time, “But it can’t be that Germany and Austria should suffer competitive disadvantages against other member states for getting ready in time.”

A Green Party member of the European Parliament, Jan Philipp Albrecht, said he didn’t see how fines could be postponed as the rules had been enshrined in EU law. “It’s clear that those who aren’t adhering to the law on May 25 will have to expect consequences,” he warned.

It’s not yet clear how the rules will be enforced outside the EU, but US companies are taking GDPR seriously. A survey in November by security compliance firm TrustArc and the International Association of Privacy Professionals found that 84 percent of its US respondents expected to be prepared for the new rules by May 2.

Dietmar Neuerer covers domestic politics for Handelsblatt from Berlin. To contact the author: [email protected]