Lars Andersen’s business handles some of the most sensitive data there is — the names and phone numbers of children. The owner of London-based My Nametags, which makes personalized nametags to iron into children’s clothing, says protecting that information is fundamental to his business, which operates in 130 countries. But starting Friday, My Nametags and most other companies that collect or process the personal information of EU residents must take a number of extra precautions to comply with the new General Data Protection Regulation, which the EU calls the most sweeping change in data protection rules in a generation.
While the legislation has been applauded for tackling the thorny question of personal data privacy, the rollout is also causing confusion. Companies are trying to understand what level of protection different data needs, whether this could force them to change the way they do business and innovate, and how to manage the EU’s 28 national data regulators, who enforce the law. “Once you try to codify the spirit (of the law) — then you get unintended consequences,” Andersen said. “There’s been a challenge for us: What actually do I have to do? There are a million sort of answers.”
That uncertainty, together with stiff penalties for violating the law, has convinced internet-based businesses such as Unroll.me, an inbox management firm, and gaming company Ragnarok Online to block EU users from their sites. Pottery Barn, an arm of San Francisco-based housewares retailer Williams-Sonoma Inc, said it would no longer ship to EU addresses. The Los Angeles Times newspaper said it was temporarily putting its website off limits in most EU countries. The implementation of GDPR has also made data protection an issue in contract negotiations as firms argue about how to divvy up responsibility for any data breach.
“Deals are being held up by data protection,” said Phil Lee, a partner in privacy security and information at Fieldfisher, a law firm with offices in 18 EU cities. “If something goes wrong, what happens?”
EU countries themselves aren’t quite ready for the new rules. Less than half of the 28 member states have adopted national laws to implement GDPR, though the laggards are expected to do so in the next few weeks, according to WilmerHale, an international law firm. As with most EU-wide regulations, enforcement of the new data protection rules falls to national authorities. While the EU stresses that the law applies to everyone, one of the big outstanding questions is whether regulators will go after any entity that breaks the law or simply focus on data giants like Google and Facebook. Lawyers also say it isn’t yet clear how regulators will interpret the sometimes general language written into the law. For example, the law says processing of personal data must be “fair” and data should be held “no longer than necessary.”
“It’s time to put on your seatbelt and check your airbag,” said D Reed Freeman Jr, a privacy and cybersecurity expert at WilmerHale. “It’s kind of like a lift-off with a rocket. It’s about to launch.”
Andersen of My Nametags said the law has already caused problems for his business. He has been advised that the company website in the Netherlands has to be different from the one in the UK because the two countries are likely to apply the law differently, and has a dispute with a supplier over which of them is responsible for protecting certain data. UK Information Commissioner Elizabeth Denham has tried to ease concerns, saying the most important thing is for companies to try their best to comply with the law and work with authorities to correct any problems.
“We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR,” Denham said in a blog post. “Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
The new law comes at a time when advances in technology make data more valuable, and therefore raise the stakes in protecting it. The ability to analyze everything from consumer purchases to medical records holds enormous potential, with suggestions that it will make us healthier, improve traffic flows and other good things for society. At the same time, it provides business with huge new opportunities for profit, with some experts putting the value of the global data economy at $3 trillion. That potential is underscored by changes in the list of the world’s most valuable companies, which was once dominated by energy and industrial companies. Now Apple, Alphabet, Microsoft, Amazon and Facebook hold five of the six top spots.
“Data is the new soil,” said Adam Schlosser, the project lead for digital and trade flows at the World Economic Forum. “It serves as a foundational element for growth.”
But with that potential comes concern that data can be used for private gain, threatening personal privacy rights. Allegations that political consultant Cambridge Analytica used data harvested from Facebook accounts to help Donald Trump with the 2016 presidential election offered a tangible example of the fears highlighted by privacy campaigners. Andersen fears that “dodgy operators” will continue to flout the rules, but he hopes publicity around GDPR will help demonstrate that he takes data protection seriously — that he recognizes the information behind those nametags decorated with cupcakes, unicorns and smiley faces is something to be safeguarded.
“In terms of pieces of data that you don’t want to go astray, your children’s information is kind of the core of that,” Andersen said. “In a way, that’s why we as a company have been successful — (by) trying to treat our customers as parents in the way I would want to be treated as a parent.”