By Sam Schechner and Natalia Drozdiak
As Europe's new privacy law, known as GDPR, is set to take
effect Friday, the focus has been on expected battles with tech
giants like Facebook Inc. and Alphabet Inc.'s Google. But the law's
impact is far broader.
The new General Data Protection Regulation is forcing hundreds
of thousands of companies -- multinationals like Mastercard Inc.
and insurer Allianz SE, but also small manufacturers and even
restaurants -- to change how they gather and handle information
about Europeans, even if the companies have no physical footprint
in Europe.
Many firms aren't fully prepared, privacy lawyers and
consultants say. Some have spent millions of dollars to get ready
for Friday, the day regulators begin enforcing the law.
"I don't think that we as a company realized the full magnitude
of what the law would require," said Paul Delson, chief compliance
officer for First Solar Inc., a Tempe, Ariz., solar-panel
manufacturer. The company has hurried to draft new policies around
the use of employee and customer data and map how it uses it. At
first, he said, "I think there was some bit of, 'Well that's a
European law, and we're an American company.' "
The GDPR creates or toughens many obligations for companies,
such as minimizing the information they collect. And it gives
individuals new or expanded rights including, in many
circumstances, the right to see, correct or delete personal
information about themselves.
Firms are responsible for showing they are following the rules,
and they risk fines of up to 4% of their global revenue or EUR20
million ($23.4 million), whichever is larger, if they fail to
comply. Regulators are unlikely to take a kind eye to tardiness,
because enforcement of the law, passed in 2016, was delayed two
years to give companies time.
"There was no hidden agenda," said Andrea Jelinek, who is
expected to head a new EU board of national data-protection
regulators starting on Friday. "If and how far companies are behind
in implementing the law, we will see."
Business surveys show between 60% and 85% of companies say they
don't expect to be fully compliant by Friday. In March and April,
only half of businesses said they were even "largely compliant,"
according to a survey of 1,000 businesses conducted by consulting
firm Capgemini SE.
"These are substantial programs consisting of multiple projects
that sometimes take years to complete," said Willem de Paepe, who
runs Capgemini's GDPR-compliance practice.
Companies that say they will make the deadline often have spent
heavily to do so. Munich-based Allianz said it has spent tens of
millions of euros to get ready for GDPR, including mobilizing
hundreds of privacy experts from 80 subsidiaries to make changes,
including a redo of online insurance applications to avoid
requesting information such as the applicant's profession that is
unnecessary for an insurance quote.
"It has been a mammoth task," said Philipp Raether, the
company's group chief privacy officer.
Bossa Studios, a London-based videogame company with 90
employees, said it spent "dozens of thousands of dollars" on
consultants -- who concluded the company was GDPR-compliant and
didn't need to change anything, because it kept only simple data.
"It's quite a complex subject," Chief Executive Henrique Olifiers
said. "Even the consultants are trying to figure it out."
One of the law's thornier demands is that companies list all the
ways they gather and process personal information. French hotel
group Accor SA hired an outside vendor for an undisclosed sum to
build a map of all the ways it uses data, and then to keep that map
updated in case regulators come for an audit. "It's a never-ending
process," said Thomas Elm, Accor's data-protection officer.
U.S. airlines, which collect vast amounts of passenger data,
declined to discuss their preparations publicly. One airline
executive said the focus has been on creating an inventory of
personal data held on millions of members of frequent-flier
programs, as well as on how the data can be shared with third
parties such as online travel agencies. He appointed himself chief
data protection officer, a new position mandated by the new
rules.
"Companies are struggling with the concrete deliverables -- the
record of processing activities, the transfer agreements, the
notices, the website -- because of the sheer volume," said
Henriette Tielemans, a Brussels-based partner and data-protection
expert at law firm Covington & Burling. "But they're also
struggling with the more conceptual approaches, because this is not
how we've done business so far."
Executives at Mastercard realized last year that the credit-card
transaction data the firm analyzes, for instance to show purchasing
trends, might no longer be considered anonymous under GDPR. That
would mean the GDPR could potentially curtail how the data could be
used in the future, because the law limits use of personal
information for purposes other than those for which it was
collected.
So in March, Mastercard joined with International Business
Machines Corp. to set up an external trust that will hold and
anonymize the data, so Mastercard has no ability to reidentify
individuals from it. The trust, called Truata, aims to take on
other clients in addition to Mastercard, allowing them to keep data
anonymous while still analyzing it.
"Anonymized data provides another level of protection for
individuals," said JoAnn Stonier, Mastercard's chief data
officer.
New York-based online advertising broker AppNexus Inc., which
has about 30% of its business in Europe, has had to redo contracts
with European vendors and clients -- as well as with U.S. firms
that have business in Europe -- to account for the new law, said
Chief Executive Brian O'Kelley.
"We're now in what has been one of the biggest legal logjams in
global history," Mr. O'Kelley said. "My biggest concern is that
this won't be resolved in 10 days."
Even restaurants in the U.S. are worried about complying with
the law, because they gather and keep information about EU
residents who make reservations when traveling, said Kinesh Patel,
co-founder of SevenRooms, a reservation and guest-information
service. Bigger chains have been working on complying for some
time, but it has surprised some smaller restaurants, he said.
"Restaurants are not tech companies," Mr. Patel said, "but now
they're being asked to manage it like they are."
--Stu Woo, Nick Kostov and Doug Cameron contributed to this
article.
Write to Sam Schechner at sam.schechner@wsj.com and Natalia
Drozdiak at natalia.drozdiak@wsj.com
(END) Dow Jones Newswires
May 24, 2018 05:44 ET (09:44 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
MasterCard (NYSE:MA)
Historical Stock Chart
From Aug 2024 to Sep 2024
MasterCard (NYSE:MA)
Historical Stock Chart
From Sep 2023 to Sep 2024