Here Come the New EU Rules on Data Privacy
Many U.S. companies may think they don’t have to worry about them. But, as Justin Antonipillai and Ajay Arora explain, they do.
About five months from now, sweeping new privacy regulations are taking effect in Europe, and they will reverberate far beyond the EU. What do U.S. companies need to do to prepare for General Data Protection Regulation?
The Wall Street Journal’s Jeff Stone spoke with two experts to get a handle on the issues: Justin Antonipillai, founder and chief executive of WireWheel and previously acting undersecretary at the Department of Commerce; and Ajay Arora, CEO and co-founder of data-security firm Vera.
Here are edited excerpts.
Background on GDPR
MR. STONE: One of the things I was hoping you could help us understand is how and why these rules came about.
MR. ANTONIPILLAI: I came into the Obama administration into the agency that was the lead for privacy rights after the Snowden disclosures. What we saw is that privacy isn’t one of these things that you’re going to see at the lower end of the priority chain.
It has become a trade issue. It has become an issue that comes up as a market issue. And for folks that are on the security side, it is going to be a critical part of your portfolio for the next couple of years.
MR. ARORA: This is an extension of what the EU already has had in place since about 1994. They’ve been talking about taking it to the next level and making it more modern for many years. Even the mind-set of U.S. corporations versus EU corporations is very different. In the EU, they have chief privacy officers. In the U.S., we have chief security officers.
The tendency to look at cybersecurity here is from a “How am I protecting my corporate data from the outside world?” approach. In the EU, it is more about privacy of the individual. They’re at conflict.
U.S. companies are going to have to understand that it isn’t just a change in technology or even process.
MR. STONE: Which industries in the U.S. are going to be hit the hardest when GDPR comes into place?
MR. ANTONIPILLAI: It is kind of everybody, but the ones that will be really a focus are financial services, health care, advertising analytics.
The reason this is going to hit so many isn’t just that the fines are so massive. It is that there are thousands of companies that have no idea that you’re actually covered by this law. Under old European law, if you kept the data in Europe it was covered under European law, and if you kept it in the U.S., you were under U.S. law.
Now, it is if you offer a service in Europe, which could be as little as offering your app in the EU app store. So there are going to be companies located in Silicon Valley, and they’re directly covered by this.
In addition, if you do certain kinds of things, you actually have to hire an independent auditor that works for your company whose entire job is to make sure you’re compliant with this law.
MR. ARORA: The number one thing I hear is that the initial reaction is, “That is an EU thing. I don’t have to worry about it.” But it is a very low bar to be able to say that you’re subject to the GDPR as opposed to the previous safe-harbor acts, because you could just be a processor of data. You might have any kind of data that you contain, any kind of analytics information that you contain. There is a right to notify. There is a right for the individual to be able to withdraw from it.
The wake-up call is saying that, “You don’t have to be doing direct business with an organization in the EU. If any part of what you’re doing touches some individual data there, then you are subject to the governance of the GDPR.”
And the regulators I’ve spoken to have stated very clearly they will make examples of companies. Large, medium and small, within the EU and outside of it, because they want to make sure.
Ready or Not
Where companies in the U.S., U.K. and Japan stood this summer in preparing for the European Union’s General Data Protection Regulation, and what it cost them
Amount spent by those that
finished preparations
Stages of preparation
Less than $1 million
11%
Finished operationalizing preparations
25%
Started operationalizing preparations
13%
More than
$10 million
21%
Completed assessment
$1 million to
$5 million