The EU's General Data Protection Regulation (hereinafter referred to as GDPR) has officially implemented on May 25, 2018, but neither the company nor the regulator seems to be ready to welcome it.
After four years of deliberation, the EU officially passed the General Data Protection Regulation in 2016. At that time, the EU gave relevant companies two years to rectify to meet the requirements of the regulations. In theory, this time is completely enough, but now the situation is still chaotic.
But this has also become an opportunity for some people to get rich. United Lex is currently conducting related businesses to establish GDPR compliance services for enterprises. As Chief Privacy Officer of United Lex, Jason Straight said before the law officially came into effect: "On May 25, few companies can be 10% compliant. With the deadline approaching, most companies, especially U.S. companies, must have been running and busy last month." In April, half of the companies in , which conducted a survey of more than 1,000 companies by the Ponemon Institute, said they would not be able to comply before the deadline. After being divided by industry, 60% of tech companies also said they are not ready.
GDPR covers the requirements for notifying the regulator within 72 hours after the data breach, as well as the requirements for informing users of the purpose of data in advance, etc. "For many years, companies have tried to get data from users as much as possible before considering how to use the data pattern, but this practice will be difficult to exist under the constraints of GDPR. However, if users are informed in advance of the use of data according to GDPR regulations, it is very likely that users will no longer agree to provide data."
But perhaps the GDPR requirement that makes every company the most troublesome is to "respond to access requests from data subjects." EU residents have the right to request access to personal information collected by the company. Users, that is, the data subject mentioned in the GDPR, can request deletion and correction of personal information, and can even require data to be obtained in the form of files. But the data may be on 5 different servers and may be in many different formats. Therefore, a large part of the rectification work required by the company to meet GDPR comes from the infrastructure of the re-revising database so that it can respond to such requests from users.
How companies re-revise the underlying database is part of the problem. In addition, the definition of "personal information" itself is not clear. Name, email, phone number, location data – these are obvious personal information. But there is more unclear data, Straight said, “If someone mentioned in an email ‘the tall bald man living on East 18th Street’, then that would be the information required by the GDPR.”
This is also an inevitable result to some extent. A year ago, 61% of companies have not started related rectifications. Overall, European companies — especially those in countries such as Germany and the UK — have partially overlapping with GDPR, and therefore have more time to adjust, Straight said. Still, a survey in January found that one in four London businesses don’t even know what GDPR is.
Objectively speaking, GDPR is indeed a bit complicated. Alison Cool, a professor of anthropology and information science at the University of Colorado, wrote in the New York Times that the law is “very complex” and difficult to understand, and both scientists and data administrators “doubt that the ordinance cannot even be fully complied with.”
GDPR allows regulators to fine up to 4% of their global revenue for companies that violate regulations. If Amazon is punished, the fine will be $7 billion. Interestingly, however, is that because companies like Amazon have huge revenues and relatively low profits, a 4% fine could cost them two years of profit.
American entrepreneur and venture capitalist Peter Thiel therefore accused GDPR of being a protectionist law enacted by Europe. "There are no successful tech companies in Europe, they are jealous of the United States, so they want to punish us," he said in his March speech at the New York Economic Club .
Since most of the expression of GDPR is vague, how it works in practice will depend on the regulatory authorities' handling. Ultimately we will see: who the regulators will pursue, what penalties they will impose for which behavior, and how much fines they will impose.
The current general conjecture is that when the deadline arrives, European regulators will handle it resiliently and will not put too much pressure on the company for a short period of time. But regulators also have no complete control over how it handles on May 25, as part of GDPR is user-led.
If an EU resident submits a data access request, the company has 30 days to respond. Assuming a company receives such a request, but they still do not fully comply with GDPR standards and cannot respond, then the resident can file a complaint with the local regulator.
GDPR requires regulators to take measures to enforce the law. Even if it is not a 4% fine, they can’t sit idly by and watch the complaint. “If regulators receive 10,000 complaints in the first month, they are in trouble,” Straight said. Reuters 17 of the 24 European regulators surveyed in early May said they are not ready to implement the new law because they do not have the funds or authority to perform their duties.
Another regulator faces difficulties when it comes to GDPR data breach notification requirements. The company needs to notify the relevant data protection agencies within 72 hours after discovering the data breach, but the regulators are not completely clear about the subsequent work. Regulators may not be ready to audit the company's security efforts or take measures to protect affected EU residents. Even if regulators have some flexibility in how to respond, the GDPR won’t allow them to do nothing.
GDPR is only suitable for EU and EU residents, but as many companies conduct business in Europe, the US technology industry is busy rectifying. Although it is foreseeable that problems will surely arise in the early stages of GDPR implementation, this regulation marks a huge change in the way of data processing worldwide. It is hoped that as companies and regulators gradually get on track, privacy protections strengthened by GDPR will also become the norm.
