PRAGUE — The last thing Eva ?korni?ková says she expected two years ago was to face a barrage of insults on social media.
A Prague-based lawyer, ?korni?ková is a member of a Czech Republic government committee that evaluated data privacy reforms the European Union enacted this past May. In the run-up to the enforcement of the General Data Protection Regulation, or GDPR, ?korni?ková also began advising individuals and small companies on how to comply with what is now considered the world’s toughest regulatory standard overseeing how businesses are able to use personal data.
While many subscribers were grateful to learn about their newly acquired individual rights, others took exception. Companies in Europe are now required to define how they use personal data, grant individuals access to their data profiles and establish clear consent before collecting it. Those new rules set off a firestorm of criticism from people who posted on ?korni?ková’s blog.
“I was really not ready for these hate comments and vulgarities,” she says. “It was something that surprised me.”
Two months after the EU adopted a law hailed as a landmark achievement in the digital privacy age, hundreds of companies of all sizes both in this country and abroad are still scrambling to comply with a complex regulation many business representatives say they do not fully understand.
The GDPR applies to all EU member countries and also to any company outside the union that collects data on EU citizens. According to multiple reports released ahead of the law, at least 60 percent of companies were expected to be noncompliant with the regulation by the time it was enacted. Another estimate places that figure at 85 percent.
The EU rules have already affected the world’s largest social media platform. Executives at Facebook said last week the company’s shares plummeted last quarter and that profits will drop for several years, acknowledging the EU data privacy rules as a major factor.
While some EU member countries had anticipated the GDPR and enacted their own data protection laws, the Czech Republic is one of eight that still do not have any such laws. About one-fifth of Czech companies remain unaware of the regulation, according to a survey in May of nearly 500 firms conducted by the Czech Chamber of Commerce.
“Some companies have surprisingly no idea about GDPR at all,” says Lenka Ernestová, a data protection officer at Seznam.cz, one of the largest web portals in the Czech Republic.
“The law is certainly good at making companies aware of (digital privacy) and getting organized in areas that had been neglected previously,” Ernestová adds. “However, our industry finds it hard to fully understand some of the aspects since the definition of personal data is very broad and complex.”
Financial considerations also affect compliance with the GDPR. According to the Czech Chamber of Commerce study, the total cost of compliance for companies in the country is about $1.13 billion, with most businesses paying an average of about $2,276 each. Merely spending money, however, does not ensure compliance, especially with expertise lacking on the regulation.
Frustration is pervasive among Czech companies because of what business owners say is a law open to interpretation, says Miroslav U?an, chief executive of the e-commerce development agency Shoptet. “As we noticed through our consultations with different companies, even big players in the market were confused and not totally sure how to work with it,” U?an says.
Adds ?korni?ková: “Representatives from some companies thought I was pushing people to execute their rights without any reason, but really they are frustrated by the fact that they are not ready to answer the questions (about personal information) I am now eligible to ask.”
For Seznam, which runs a number of websites, making personal data available required revamping its services and resulted in the shuttering of one of its outdated but active social networking websites for classmates.
Companies also must factor in the GDPR’s hefty fine structure: Violators can be penalized as much as 4 percent of their global revenues, or 20 million euros ($23.4 million), whichever is larger. Such penalties will force increased compliance, with websites temporarily going dark or shutting down completely, says Derrick Cogburn, an associate professor in the School of International Service and in the Department of Information Technology and Analytics at American University in Washington.
“The fees are extraordinarily high and this legislation has a lot of teeth so companies won’t be able to flaunt this regulation easily,” Cogburn says. “Millions of dollars are at stake.”
According to a 2016 survey by U.K. tech research firm Vanson Bourne, 52 percent of U.S. companies possess data on EU citizens. Only 39 percent of the companies, however, expressed confidence in being able to track every instance of personal data in their systems.
Analysts say some small and medium-sized businesses in the EU that have limited resources to devote to compliance are taking unnecessary steps in an attempt to satisfy the law — from moving their data onto a cloud to sending consumers opt-in and consent agreements and email notifications.
“You only needed to pursue and get my opt-in again if the lawful processes have changed, which it hadn’t, or your processes had changed, which it probably hadn’t, so most of those emails were unnecessary, and most were wrong,” says Richard Hogg, global GDPR evangelist for IBM, adding that there is no formal compliance body able to certify whether a company is compliant or not.
Companies and government entities that process large quantities of personal data face even more dire consequences as the rules now necessitate the need for a data protection officer, an expensive proposition for many.
“One of the biggest impacts of GDPR, certainly in the U.K. is that local authorities have to have a data protection officer, so you are talking police stations, fire stations, hospitals and dentists,” says Richard Merrygold, a data privacy expert and director of group data protection at emergency repair service Homeserve. “Organizations that don’t have a lot of money are having to appoint a data protection officer and that requires training and education.”
A number of complaints from the public have already been filed against larger institutions since the GDPR’s implementation, says Andrea Jelinek, chairperson of the recently founded European Data Protection Board, a regional group of EU data protection authorities charged with enforcement of the GDPR.
Still, while many experts say it may take a few years until they are able to assess the new law’s effectiveness, the majority believe it will eventually return the ownership of privacy in Europe back to the public.
“Personal data is an important and integral part of our personal identity. Therefore, they represent a valuable and strategically important commodity for a wide range of subjects,” says ?korni?ková, the Prague lawyer. “Of these essentially contradictory interests, there is a need to establish a balance between them, and this is what the GDPR is trying to do.”
More from U.S. News
Data: Heavy Reliance on Social Media Aligns With Trust in Private Companies
France To Build Own Messaging Service For The Government
Countries’ Actions on Internet Spark Growing Privacy Worries
Learn More About the Czech Republic
Across Europe, New Data Privacy Law Still Leaves Confusion originally appeared on usnews.com
