Got $1 Million? You're That Much Closer to Being GDPR Compliant

By Published on .

Privacy protections coming from the E.U. are set to ring up big bills for companies around the globe.
Privacy protections coming from the E.U. are set to ring up big bills for companies around the globe. Credit: iStock

Savvy businesses are spending serious money to comply with new online privacy regulations out of Europe.

Come May 25, any company that interacts with or does business online with consumers in Europe, including publishers, retailers and brands based in the U.S., must be compliant with the E.U.'s General Data Protection Regulation and ePrivacy laws, which require companies to get explicit consent for the ways they use consumers' data.

Those who fail to comply will be hit with a fine that's 4 percent of annual revenue or $25 million, whichever is higher.

Now, 48 percent of data and compliance decision makers recently surveyed at companies in the U.S., the U.K., Germany and France have allocated at least $1 million to meet the requirements—33 percent setting aside $1 million to $5 million for the purpose and 15% earmarking over $5 milllion.

That's according to a survey of 263 executives by Forrester Consulting on behalf of Evidon. It does not include estimated costs of staying in compliance over time.

The figures will rise once new hires, legal fees and ongoing compliance get factored in, says Jessica Lee, a lawyer at Loeb & Loeb who works with digital media companies in areas like marketing and privacy.

Lee herself has been operating in the trenches since GDPR was passed about two years ago.

"The first trend we're seeing is panic," Lee says. "For publishers and brands who have a direct relationship with consumers, there are concerns about the level of transparency and specificity needed to obtain consent to the data processing activities they rely on to build their audience, reach their consumers and, in some cases, to provide their services."

"For the companies who rely on third party data, there are real concerns about whether their current business model will continue to work," Lee adds. "In terms of preparation—once panic subsides—many companies, some for the first time, are investing time in understanding the flow of data at an enterprise-wide level."

The E.U.'s expectations are also pushing media companies to button up their internal data and governance programs.

"This wasn't an area that some companies were willing to invest time or money in the past, but the potential for fines and PR damage under the GDPR is turning data governance into a business priority," Lee says. "There is also a marketing piece. Companies with clients in the E.U. are working to give their clients comfort that they will continue to be a safe and trusted vendor and partner after May 2018."

The Forrester and Evidon survey found that roughly 46 percent of respondents have been preparing for GDPR for more than a year. About 28 percent have spent less than a year getting ready.

"Organizations who are just turning to GDPR compliance or who have recently begun their work towards compliance will have to understand that 100 percent compliance may be unrealistic before May 2018," says Lee. "I think there has to be an acceptance that they may not be able to achieve full-compliance by May 2018, but if they focus on the high-risk areas first they can significantly reduce their risks."

Still, many of these outfits have also enlisted the services of lawyers like Lee as well as consultants to help them navigate the new regulation: About 44 percent of businesses are turning to vendors specializing in privacy certification and risk management.

"If you've been told to wait and see if digital governance is actually going to apply to you, you've gotten some bad advice and you are very far behind," says Scott Meyer, president at Evidon. "You need to quickly do a data mapping exercise to understand what personal data you have across the enterprise, followed by which vendors were relying on your data and what kind of data they have access to."

"Publishers starting today need to put a plan in place over the next six months to ensure that your user experience aligns with the GDPR and ePrivacy directive," he added.

Most Popular