Tech companies are already counting the cost of sweeping EU rules on data protection that will not be introduced until next year.
A Financial Times survey has revealed that the sector is scrambling to hire new staff and redesign products as it faces millions of dollars in higher costs and lost revenues.
The FT contacted 20 of the largest social media, software, financial technology and internet companies with EU operations, about the bloc's new General Data Protection Regulation. It comes into effect next May and will require businesses to adopt stricter standards for dealing with customer data.
Facebook was one of three companies to say that initial compliance would cost several million dollars. Others said they faced having to hire extra staff and consultants to implement changes so that customers could delete information, or export it in a format compatible with rival services.
Though costs are small relative to the global annual turnover of multinational companies, technology groups suggested GDPR could be one of the most expensive pieces of regulation in the sector's history.
More from the Financial Times:
- Doubling of personal data requests hits tech groups
- Financial criminals can hide behind WhatsApp
- Uber settles FTC suit over privacy violations
"We have now assembled the largest cross-functional team in the history of the Facebook family of companies," a spokesperson for Facebook said. "Dozens of people at Facebook Ireland are working full time on this effort."
Facebook Ireland's data protection team will be growing by 250 per cent this year in order to support the GDPR . . . It is hard for us to put an exact figure on it, but when you take into account the time spent by our existing teams, the research and legal assessments and the fact that we have had to pull in teams from product and engineering, it is likely to be millions of dollars.
"The EU's market for monetised data amounted to revenues of €59.5bn in 2016, according to research for the European Commission by IDC and Open Evidence, and is the backbone of a technology industry that has increasingly turned to personal information for new product ideas and advertising revenues.
However, GDPR will radically alter how these data can be collected, stored and deleted. "Consumers are becoming increasingly sophisticated and wary of their privacy rights," said Paul Jordan, European managing director at the International Association of Privacy Professionals. "At the heart of GDPR is consumer protection."
The rules will require companies to ask for explicit consent before using personal information, creating challenges for those that have hidden behind long and confusing privacy policies. They will also impose a strict 72-hour deadline for identifying and reporting security breaches.
Under the new rules, consumers will have a right to be forgotten and to withdraw consent, which means they could request that data be completely deleted from computer servers. This will cause problems for technology companies that share data and for the cloud service providers, such as Microsoft, Amazon, IBM and Google, which host information in data centres on behalf of other companies.
According to Duncan Brown, associate vice-president of European security at IDC, most cloud companies are unprepared, because until now, customer data has largely been the responsibility of "data controllers" — the companies that collect personal information — rather than the "data processors" that service it."
Cloud providers are severely impacted by this, because they are processing data for customers, whether they know it or not," he said. "Until now, the nature of many cloud providers has been that they don't want to know what data they have."
GDPR will give regulators the power to fine businesses €20m or up to 4 per cent of their previous year's global turnover, whichever is higher. The regulations will be integrated into UK law after Brexit, in a new data protection bill."
The rules are stringent and that is something that definitely has a business impact," said an executive at a US-based software company. "To get those systems where they should be is expensive."
Only six of the companies contacted by the FT — Facebook, Microsoft, TransferWise, Funding Circle, HPE and Cisco — confirmed they had a board member directly responsible for data privacy compliance, which is seen by regulators as a sign of readiness for GDPR. Deliveroo said a group of experts would report to its board, but did not give details. Julian David, chief executive of TechUK, the industry body, said board level oversight was crucial for companies to avoid fines and class action lawsuits once the rules were enforced: "Companies should have been doing this at board level for some time, but we have a feeling that some aren't," he said.