Business surveys show between 60% and 85% of companies say they don’t expect to be in full compliance by Friday’s deadline
As Europe’s new privacy law, known as GDPR, is set to take effect Friday, the focus has been on expected battles with technology giantssuch as Facebook Inc. and Alphabet Inc.’s GOOGL -0.13% Google. But the law’s impact is far broader.
The new General Data Protection Regulation is forcing hundreds of thousands of companies—multinationals such as Mastercard Inc.MA -0.39% and insurer Allianz SE, but also small manufacturers and even restaurants—to change how they gather and handle information about Europeans, even if the companies have no physical footprint in Europe.
Many firms aren’t fully prepared, privacy lawyers and consultants say. Some have spent millions of dollars to get ready for Friday, the day regulators begin enforcing the law.
“I don’t think that we as a company realized the full magnitude of what the law would require,” said Paul Delson, chief compliance officer for First Solar Inc., a Tempe, Ariz., solar-panel maker. The company has hurried to draft new policies around the use of employee and customer data and map how it uses it. At first, he said, “I think there was some bit of, ‘Well that’s a European law, and we’re an American company.’ ”
The GDPR creates or toughens many obligations for firms, such as minimizing the information they collect. And it gives individuals new or expanded rights including, in many instances, the right to see, correct or delete personal information about themselves.
Firms are responsible for showing they are following the rules, and they risk fines of as much as 4% of their global revenue or €20 million ($23.4 million), whichever is larger, if they fail to comply. Regulators are unlikely to take a kind eye to tardiness, because enforcement of the law, passed in 2016, was delayed two years to give companies time.
“There was no hidden agenda,” said Andrea Jelinek, who is expected to lead a new European Union board of national data-protection regulators starting on Friday. “If and how far companies are behind in implementing the law, we will see,” she added.
Business surveys show between 60% and 85% of companies say they don’t expect to be fully compliant by Friday. In March and April, only half of businesses said they were even “largely compliant,” according to a survey of 1,000 businesses conducted by consulting firmCapgemini SE .
“These are substantial programs consisting of multiple projects that sometimes take years to complete,” said Willem de Paepe, who runs Capgemini’s GDPR-compliance practice.
Companies that say they will make the deadline often have spent heavily to do so. Munich-based Allianz said it has spent tens of millions of euros to get ready for the GDPR, mobilizing hundreds of privacy experts from 80 subsidiaries to make changes including a redo of online insurance applications to avoid requesting information—such as an applicant’s profession—that is unnecessary for an insurance quote. “It has been a mammoth task,” said Philipp Raether, the company’s group chief privacy officer.
Bossa Studios Ltd., a London-based videogame company with 90 employees, said it spent “dozens of thousands of dollars” on consultants—who concluded the company was GDPR-compliant and didn’t need to change anything, because it kept only simple data. “It’s quite a complex subject,” Chief Executive Henrique Olifiers said. “Even the consultants are trying to figure it out.”
RELATED VIDEO
To Read New GDPR Privacy Policies You'll Need a Football Field
One of the law’s thornier demands is that companies list how they gather and process personal information. French hotel group Accor SA hired an outside vendor for an undisclosed sum to build a map of all the ways it uses data, and then to keep that map updated in case regulators come for an audit. “It’s a never-ending process,” said Thomas Elm, Accor’s data-protection officer.
U.S. airlines, which collect vast amounts of passenger data, declined to discuss their preparations publicly. One airline executive said the focus has been on creating an inventory of personal data held on millions of members of frequent-flier programs, as well as on how the data can be shared with third parties such as online travel agencies. He appointed himself chief data protection officer, a new position mandated by the new rules.
“Companies are struggling with the concrete deliverables—the record of processing activities, the transfer agreements, the notices, the website—because of the sheer volume,” said Henriette Tielemans, a Brussels-based partner and data-protection expert at law firm Covington & Burling LLP. “But they’re also struggling with the more conceptual approaches, because this is not how we’ve done business so far.”
Executives at Mastercard realized last year that the credit-card transaction data the company analyzes, for instance to show buying trends, might no longer be considered anonymous under the GDPR. That would mean the GDPR could potentially curtail how the data could be used in the future, because the law limits use of personal information for purposes other than those for which it was collected.
RELATED
- U.S. Websites Go Dark in Europe as Data Rules Kick In
- Europe’s Data Regulators Set to Enforce New Powers
- Q&A: What to Expect When GDPR Takes Effect
- What to Do With Those Privacy Policies Flooding Your Inbox
- Agree to Facebook’s Terms or Don’t Use It
- Privacy Is Dead. Here’s What Comes Next
- Data-Privacy Law Creates Business for Tech Consultants
- Hot U.S. Import: European Regulations
In March, Mastercard joined with International Business Machines Corp.IBM -0.30% to set up an external trust that will hold and anonymize the data, so Mastercard has no ability to reidentify individuals from it. The trust, called Truata, aims to take on other clients in addition to Mastercard, allowing them to keep data anonymous while still analyzing it. “Anonymized data provides another level of protection for individuals,” said JoAnn Stonier, Mastercard’s chief data officer.
New York-based online advertising broker AppNexus Inc., which has about 30% of its business in Europe, has had to redo contracts with European vendors and clients—as well as with U.S. companies that have business in Europe—to account for the new law, CEO Brian O’Kelley said.
“We’re now in what has been one of the biggest legal logjams in global history,” Mr. O’Kelley said. “My biggest concern is that this won’t be resolved in 10 days.”
Even restaurants in the U.S. are worried about complying with the law, because they gather and keep information about EU residents who make reservations when traveling, said Kinesh Patel, co-founder of SevenRooms, a reservation and guest-information service. Bigger chains have been working on complying for some time, but it has surprised some smaller restaurants, he said. “Restaurants are not tech companies,” he said, “but now they’re being asked to manage [data] like they are.”
—Stu Woo, Nick Kostov and Doug Cameron contributed to this article.