By Sam Schechner and Natalia Drozdiak 

As Europe's new privacy law, known as GDPR, is set to take effect Friday, the focus has been on expected battles with tech giants like Facebook Inc. and Alphabet Inc.'s Google. But the law's impact is far broader.

The new General Data Protection Regulation is forcing hundreds of thousands of companies -- multinationals like Mastercard Inc. and insurer Allianz SE, but also small manufacturers and even restaurants -- to change how they gather and handle information about Europeans, even if the companies have no physical footprint in Europe.

Many firms aren't fully prepared, privacy lawyers and consultants say. Some have spent millions of dollars to get ready for Friday, the day regulators begin enforcing the law.

"I don't think that we as a company realized the full magnitude of what the law would require," said Paul Delson, chief compliance officer for First Solar Inc., a Tempe, Ariz., solar-panel manufacturer. The company has hurried to draft new policies around the use of employee and customer data and map how it uses it. At first, he said, "I think there was some bit of, 'Well that's a European law, and we're an American company.' "

The GDPR creates or toughens many obligations for companies, such as minimizing the information they collect. And it gives individuals new or expanded rights including, in many circumstances, the right to see, correct or delete personal information about themselves.

Firms are responsible for showing they are following the rules, and they risk fines of up to 4% of their global revenue or EUR20 million ($23.4 million), whichever is larger, if they fail to comply. Regulators are unlikely to take a kind eye to tardiness, because enforcement of the law, passed in 2016, was delayed two years to give companies time.

"There was no hidden agenda," said Andrea Jelinek, who is expected to head a new EU board of national data-protection regulators starting on Friday. "If and how far companies are behind in implementing the law, we will see."

Business surveys show between 60% and 85% of companies say they don't expect to be fully compliant by Friday. In March and April, only half of businesses said they were even "largely compliant," according to a survey of 1,000 businesses conducted by consulting firm Capgemini SE.

"These are substantial programs consisting of multiple projects that sometimes take years to complete," said Willem de Paepe, who runs Capgemini's GDPR-compliance practice.

Companies that say they will make the deadline often have spent heavily to do so. Munich-based Allianz said it has spent tens of millions of euros to get ready for GDPR, including mobilizing hundreds of privacy experts from 80 subsidiaries to make changes, including a redo of online insurance applications to avoid requesting information such as the applicant's profession that is unnecessary for an insurance quote.

"It has been a mammoth task," said Philipp Raether, the company's group chief privacy officer.

Bossa Studios, a London-based videogame company with 90 employees, said it spent "dozens of thousands of dollars" on consultants -- who concluded the company was GDPR-compliant and didn't need to change anything, because it kept only simple data. "It's quite a complex subject," Chief Executive Henrique Olifiers said. "Even the consultants are trying to figure it out."

One of the law's thornier demands is that companies list all the ways they gather and process personal information. French hotel group Accor SA hired an outside vendor for an undisclosed sum to build a map of all the ways it uses data, and then to keep that map updated in case regulators come for an audit. "It's a never-ending process," said Thomas Elm, Accor's data-protection officer.

U.S. airlines, which collect vast amounts of passenger data, declined to discuss their preparations publicly. One airline executive said the focus has been on creating an inventory of personal data held on millions of members of frequent-flier programs, as well as on how the data can be shared with third parties such as online travel agencies. He appointed himself chief data protection officer, a new position mandated by the new rules.

"Companies are struggling with the concrete deliverables -- the record of processing activities, the transfer agreements, the notices, the website -- because of the sheer volume," said Henriette Tielemans, a Brussels-based partner and data-protection expert at law firm Covington & Burling. "But they're also struggling with the more conceptual approaches, because this is not how we've done business so far."

Executives at Mastercard realized last year that the credit-card transaction data the firm analyzes, for instance to show purchasing trends, might no longer be considered anonymous under GDPR. That would mean the GDPR could potentially curtail how the data could be used in the future, because the law limits use of personal information for purposes other than those for which it was collected.

So in March, Mastercard joined with International Business Machines Corp. to set up an external trust that will hold and anonymize the data, so Mastercard has no ability to reidentify individuals from it. The trust, called Truata, aims to take on other clients in addition to Mastercard, allowing them to keep data anonymous while still analyzing it.

"Anonymized data provides another level of protection for individuals," said JoAnn Stonier, Mastercard's chief data officer.

New York-based online advertising broker AppNexus Inc., which has about 30% of its business in Europe, has had to redo contracts with European vendors and clients -- as well as with U.S. firms that have business in Europe -- to account for the new law, said Chief Executive Brian O'Kelley.

"We're now in what has been one of the biggest legal logjams in global history," Mr. O'Kelley said. "My biggest concern is that this won't be resolved in 10 days."

Even restaurants in the U.S. are worried about complying with the law, because they gather and keep information about EU residents who make reservations when traveling, said Kinesh Patel, co-founder of SevenRooms, a reservation and guest-information service. Bigger chains have been working on complying for some time, but it has surprised some smaller restaurants, he said.

"Restaurants are not tech companies," Mr. Patel said, "but now they're being asked to manage it like they are."

--Stu Woo, Nick Kostov and Doug Cameron contributed to this article.

Write to Sam Schechner at sam.schechner@wsj.com and Natalia Drozdiak at natalia.drozdiak@wsj.com

 

(END) Dow Jones Newswires

May 24, 2018 05:44 ET (09:44 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.
International Business M... (NYSE:IBM)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more International Business M... Charts.
International Business M... (NYSE:IBM)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more International Business M... Charts.