A sweeping data privacy law known as the General Data Protection Rule (GDPR) goes into effect across the EU today.
While businesses have had two years to prepare for the new rules, a recent survey from data analytics firm SAS found only 49 percent of companies worldwide said they will meet the deadline to comply.
“I think a lot of companies are kind of sitting on their hands and seeing, well, how does this play out?” said David Smith, head of GDPR technologies at SAS UK & Ireland.
Now, with GDPR officially in effect, companies and individuals in the data management space are taking advantage of big business opportunities.
“It’s good news for people like me,” said Tamzin Evershed, global data privacy lead at Veritas Technologies, a US-headquartered data management firm. “We need more and more people who really understand how data protection and privacy really works.”
Evershed has spent the past two years preparing for GDPR, working with Veritas’ IT and legal teams around the world. “It’s actually quite complicated and many people are having to come up to speed really quickly,” she said.
GDPR requires public administrations and companies whose core activities involve processing sensitive data to hire a data protection officer, whose duties include notifying authorities within 72 hours of any data breach. Evershed said the new rules will require many companies to “bite the bullet” on hiring chief data officers.
“We’ve always historically had compliance departments, we’ve historically had IT departments, what we’re missing are the people in the middle who manage the data,” she said.
GDPR aims to give individuals more rights over their personal data, like the so-called “right to be forgotten” and the right to be informed. Regulators say the rules will harmonize data privacy laws across the European Union and provide a template for other countries looking to protect individuals’ personal data.
But experts said the law’s requirements have been burdensome on many companies struggling to find and label personal information in their databases.
“You can go to any organization and ask them for a copy of what data they hold on you, as well as a lot more detail on what they’ve done with it, where they got it from, who they shared it with,” SAS’ Smith said. “That is a real hard process for some organizations.”
Firms that don’t comply with GDPR face fines of up to 20 million euros ($23.5 million) or 4 percent of global annual turnover, whichever is bigger.
The high stakes have helped drive user growth at London-based startup Ohalo, which offers “x-ray” scans to locate and track personal data. CEO Kyle DuPont said 80 to 90 percent of his company’s business is GDPR-related.
“We found that before you can track data, most people didn’t even know where their sensitive data was,” DuPont said.
DuPont said his business has had growing interest from American companies in the past month. Foreign companies that offer goods or services in the EU are required to comply with GDPR.
“They can either do two things: They can pull out of Europe completely or they can try to fix the problems,” DuPont said.
Veritas’ Evershed added today’s deadline is just the beginning for jobs like hers.
“I’m not expecting that my workload will go down, in fact, I think it will just start because I know my customers are waking up to it now,” she said.