No one’s ready for GDPR

The General Data Protection Regulation will go into effect on May 25th, and no one is ready — not the companies and not even the regulators.

After four years of deliberation, the General Data Protection Regulation (GDPR) was officially adopted by the European Union in 2016. The regulation gave companies a two-year runway to get compliant, which is theoretically plenty of time to get shipshape. The reality is messier. Like term papers and tax returns, there are people who get it done early, and then there’s the rest of us.

In today’s meeting with the European Parliament, Mark Zuckerberg said Facebook would be GDPR compliant by the deadline, but if so, the company would be in the minority. “Very few companies are going to be 100 percent compliant on May 25th,” says Jason Straight, an attorney and chief privacy officer at United Lex, a company that sets up GDPR compliance programs for businesses. “Companies, especially US companies, are definitely scrambling here in the last month to get themselves ready.” In a survey of over 1,000 companies conducted by the Ponemon Institute in April, half of the companies said they won’t be compliant by the deadline. When broken down by industry, 60 percent of tech companies said they weren’t ready.

GDPR is an ambitious set of rules spanning from requirements to notify regulators about data breaches (within 72 hours, no less) to transparency for users about what data is being collected and why. “For many years it’s been, ‘How much data can we trick people into giving us?’ and ‘We’ll figure out how to use it later!’ That is not going to be an acceptable way to operate anymore under GDPR,” says Straight.

“There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place,’” Straight says. “I’m kind of like, ‘Yeah, that’s sort of the point.’”

But perhaps the GDPR requirement that has everyone tearing their hair out the most is the data subject access request. EU residents have the right to request access to review personal information gathered by companies. Those users — called “data subjects” in GDPR parlance — can ask for their information to be deleted, to be corrected if it’s incorrect, and even get delivered to them in a portable form. But that data might be on five different servers and in god knows how many formats. (This is assuming the company even knows that the data exists in the first place.) A big part of becoming GDPR compliant is setting up internal infrastructures so that these requests can be responded to.

Part of the problem is how companies are set up, and part of it is that “personal information” is a wishy-washy category. Names, email address, phone numbers, location data — those are the obvious ones. But then there’s more ambiguous data, like “an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR,” says Straight.

For companies that have operated under the principle of “extract as much data as possible and figure it out later,” reorganizing under GDPR is a lot like an episode of Hoarders, especially one of those episodes where the hoarder doesn’t finish cleaning and everyone sort of falls apart crying at the end.

This is, in some ways, an inevitable outcome. A year ago, 61 percent of companies had not even started GDPR implementation. Straight says that, on the whole, European companies — especially those in countries like Germany and the UK, where there are preexisting privacy laws that overlap with GDPR — have had a better time adjusting. (Still, a survey in January of this year found that a quarter of London businesses didn’t even know what GPDR was.)

To be fair, GDPR as a whole is a bit complicated. Alison Cool, a professor of anthropology and information science at the University of Colorado, Boulder, writes in The New York Times that the law is “staggeringly complex” and practically incomprehensible to the people who are trying to comply with it. Scientists and data managers she spoke to “doubted that absolute compliance was even possible.”

It’s not a pleasant position to be in, because GDPR can allow regulators to fine companies up to 4 percent of their global revenue for violations of GDPR. To put that in perspective, a 4 percent fine on Amazon would be $7 billion. (Interestingly, since a company like Amazon reports huge revenues and relatively small profits, a 4 percent fine could cost them over two years of profit.)

GDPR’s heavy punch might have goaded Peter Thiel into accusing Europe of enacting a protectionist legal regime. “There are no successful tech companies in Europe and they are jealous of the US so they are punishing us,” Thiel said at a talk at the Economic Club of New York back in March.

Because much of GDPR is ambiguous, how it will work in practice is up to what regulators do with it. Eventually, norms will emerge: who the regulators will go after, what kind of penalties they’ll levy for what kind of behavior, and how much of that 4 percent of global revenue they’ll extract from offenders.

The general assumption is that when the deadline hits, European regulators will treat it as a soft opening, going easy on companies for a honeymoon period while everyone figures out how the law is going to work. But regulators can’t entirely control what’s going to happen on May 25th because parts of the GDPR are user-driven.

If an EU resident submits a data subject request, a company has 30 days to respond. Say a company gets one of these requests, but they still aren’t completely GDPR-compliant and literally incapable of responding. If the company fails to respond, the data subject can then file a complaint with their local regulator.

The GDPR requires the regulator to do something to enforce the law. It might not be a 4 percent fine, but they can’t just forward the complaints straight to the wastebasket. “If they get hit with 10,000 complaints in the first month, they’re going to be in trouble,” says Straight. Seventeen of 24 European regulators surveyed by Reuters earlier this month said they weren’t ready for the new law to come into effect because they didn’t yet have the funding or the legal powers to fulfill their duties.

Another GDPR provision that might strain regulatory resources is the data breach notification requirement. Companies are required to notify a relevant data protection authority within 72 hours of discovery, but what the regulator does afterward is not entirely clear. Regulators may not be ready to audit a company’s security or figure out exactly what to do to protect EU residents affected by the breach. But still, they have to do something. They might have some flexibility on how to respond, but the GDPR won’t allow them to do nothing.

GDPR is only supposed to apply to the EU and EU residents, but because so many companies do business in Europe, the American technology industry is scrambling to become GDPR compliant. Still, even though GDPR’s big debut is bound to be messy, the regulation marks a sea change in how data is handled across the world. Americans outside of Europe can’t make data subject access requests, and they can’t demand that their data be deleted. But GDPR compliance is going to have spillover effects for them anyway. The breach notification requirement, especially, is more stringent than anything in the US. The hope is that as companies and regulatory bodies settle into the flow of things, the heightened privacy protections of GDPR will become business as usual. In the meantime, it’s just a mad scramble to keep up.