They’re racing to the starting line.
Tech companies, large and small, are scrambling with last-minute preparations for compliance with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25.
Some are shuddering over fears of impending chaos–not to mention stiff fines–from tech’s Day of Reckoning in Europe, but many are embracing it as an opportunity.
Some 76% see it as a chance to create new business opportunities through improved data practices with clients, yet only 36% expect to be fully compliant with GDPR rules, according to an IBM survey of 1,500 business leaders worldwide that was released today. (For example, 31% of respondents said their company had updated its incident-response measures to comply with GDPR’s requirement to report data breaches to relevant authorities within 72 hours.)
GDPR is the “biggest disruptive force” to impact data security in business models across industries, Cindy Compert, chief technology officer, data security and privacy, at IBM Security, tells Barron’s. “It is regulation with teeth at a time when consumer awareness and attitudes have changed” on data security and privacy, she says.
For many, the solution has been simple: 70% of organizations say they are disposing of data in advance of GDPR, and 80% are reducing the amount of personal data they plan to keep, according to the IBM survey.
“[Companies] are doing spring cleaning,” Compert says.
Time, money and customers are of the essence as tech companies stare down the strict new regulations overseas. The European Union-mandated regulations, designed to protect consumer privacy and security, are forcing enterprise companies and small businesses to revamp their approach to data collection. If they don’t comply, they face fines of up to 4% of a company’s world-wide revenue for serious infractions or 20 million euros–whichever is higher.
And they face a wary public. Only 20% of U.S. consumers “completely trust” organizations they interact with to maintain the privacy of their data, according to another survey of 10,000 people, conducted by the Harris Poll on behalf of IBM (IBM).
While GDPR has been a four-letter word for some companies—cross-device identity firm Drawbridge and mobile-marketing platform Verve decided to drop out of the EU—others have been in furious preparation.
Companies such as Facebook (ticker: FB) that rely heavily on user data collection and analysis have taken steps to minimize the damage. In a tweak to its terms and conditions before the law goes into effect, Facebook is shifting responsibility for all users outside the U.S., Canada, and the EU—some 1.5 billion—from its international headquarters in Ireland to its main offices in Menlo Park, Calif. Ostensibly, those users will be governed by U.S. law rather than Irish law. (Evercore ISI Research analyst Anthony DiClemente recently trimmed his 2019 revenue estimates for Facebook by 1.5% and lowered his target price of its shares to $200 from $205.)
Facebook has been particularly vigilant of late on data security, after it was revealed that data belonging to 87 million of its members was harvested by political consultancy Cambridge Analytica, which worked on Donald Trump’s 2016 presidential election campaign. Earlier this week, Facebook announced the deletion of hundreds of million pieces of spam, fake accounts, hate speech, nudity, violent content and terrorist content.
Late Wednesday, Antonio Tajani, president of the European Parliament, said Facebook CEO Mark Zuckerberg will address members of Parliament as early as next week to discuss privacy and Cambridge Analytica.
“It’s clear that the importance of data security and privacy are key cornerstones of building trust with business partners and customers,” Twilio (TWLO) Chief Executive Jeff Lawson tells Barron’s.
Nearly half (46%) of 331 managers polled by RSA Security said they named a chief data protection officer to comply with GDPR. This shouldn’t come as a surprise, since 52% of companies in the same poll “anticipate technical security challenges.”
“This is a global priority for companies and not just Europe,” Rob Glickman, chief marketing officer for customer-data platform Treasure Data, tells Barron’s. It is helping more than 300 large companies, two-thirds of them in Japan, get up to speed on GDPR.
Tech start-up Harvesting, which has built a credit-risk system for farmers in emerging markets, is automating its process of identifying sensitive personal and financial information when that data is uploaded, and notifying users. Users can choose to remove some data manually or let Harvesting’s system automatically handle it.
Assembla, a source-code management platform, was “lucky” to have a skilled security team in place to meet compliance, company CEO Paul Lynch, tells Barron’s. “If you don’t, Good Lord, go out and hire them,” he says.
It’s an era of “trust tension,” in which the personalized experience that companies strive to deliver are colliding with heightened trust, Glickman cautions.
And it isn’t strictly an issue with the EU. There are 28 data-privacy regulatory entities in Europe, and rules similar to GDPR are under consideration from California to Israel. “These are the consequences of the data age,” Lynch says. “If you don’t comply, the consequences can be devastating.”
Sign up to Review & Preview, a new daily email from Barron’s. Every evening we’ll review the news that moved markets during the day and look ahead to what it means for your portfolio in the morning.