New data law in Europe sends businesses scrambling to comply
LONDON—Lisa Meyer's hair salon is a cozy place where her mother serves homemade macaroons, children climb on chairs and customers chat above the whirr of hairdryers.
Most of the time Meyer is focused on hairstyles, color trends and keeping up with appointments. But now she's worried about how the European Union's new data protection law will affect her business as she contacts customers to seek permission to store their details. Even though she supports the law, Meyer fears it may cut her mailing list by 90 percent as people choose to withhold their data or simply overlook her emails.
"It will be difficult to market upcoming events," she said at her shop, Lisa Hauck Hair & Beauty in London.
Businesses from pizza parlors to airlines across the EU's 28 countries are bombarding customers with emails seeking consent to use personal data as they rush to comply with the bloc's General Data Protection Regulation, which takes effect May 25. While much of the attention has focused on how technology giants like Facebook and Google will comply with the rules, consumers are learning firsthand that they apply to any firm, large or small, that stores personal data.
The new rules, called GDPR for short, are designed to make it easier for EU residents to give and withdraw permission for companies to use personal information. They require consent forms to be written in simple language and no more than one-page long. Companies that already hold such data have to reach out to customers and ask for permission to retain it. Authorities can fine companies up to 4 percent of annual revenue or 20 million euros ($23.6 million), whichever is higher, for breaching the rules.
As a result, email boxes all over the continent are being swamped with messages from opticians, hotels, greeting card companies and even charities that fear stiff penalties for non-compliance.
In an effort to rise above the clutter, some companies are trying to spice up their approach as they try to ensure continued access to information vital to their businesses.
The St. Pancras Hotels Group promises that "only nominated people have access to your details, and they are kept really safe, guarded by our very own British Bulldogs. And a rude punk rocker." Britain's Channel 4 television offered up a video featuring one of the country's best-known comedians explaining GDPR and how it will affect viewers. Many are using animations, like one from like France's mobile operator Bouygues, to explain the rules.
Regulators say the law applies to anyone who collects, uses or stores personal data. That can be a burden for small businesses that are forced to hire outside lawyers or consultants because they don't have the staff or expertise to deal with the law.
The EU's one-size-fits-all approach is one of the flaws in the law, according to Max Schrems, an Austrian privacy advocate who has formed a non-profit to take action against big companies that deliberately violate the new rules.
When the rules were being discussed, industry lobbyists sought to weaken the law by creating uncertainty, and as a result there are no clear guidelines that exempt small companies, Schrems told the BBC recently.
"GDPR is a prime example of corporate law gone wrong, because it's helpful for big companies," he said. "They have to do all of this anyways and they can use the uncertainty in the law to kind of get around things. But it leaves small companies that don't ... have a law department, or something like that, in a situation with a lot of uncertainty."
Meyer falls under the new rules' jurisdiction because she keeps data. Like many hair colorists, she keeps a card on each of her clients that notes whether they are allergic to any chemicals used in the dyes. That's considered personal medical information that must be protected.
She took a data protection course to learn about her obligations and avoid legal bills.
"I find it actually quite scary how data is being used so carelessly," Meyer said. "It's a good wake-up call. It's made me more aware."
But many others have been caught off guard.
A survey by French consultancy Capgemini says that 85 percent of European firms will not have completed their preparations for GDPR this week. It finds that British businesses are the most advanced and Swedish ones have the most work to do still.
A survey conducted by Britain's Federation of Small Businesses estimates that complying with the rules will cost an average of 1,030 pounds ($1,390) per company.
"For a small business, it's hugely onerous," said Mark Elliott, who runs the digital marketing company, Sparks4Growth Ltd. He knows other small business owners who are worried about the extra red tape and costs of complying with the law. "I think, quite simply, they left us open to the lions," he said of regulators.
EU officials say GDPR is necessary to catch up with all the technological advances since 1995, when the last comprehensive European rules on data privacy were put in place.
As technology advances, data becomes more important. The ability to analyze everything from medical records to the weather holds enormous potential, with suggestions it will make us healthier, improve traffic flows and help scientists learn more about the movements of endangered species, to name but a few items.
But with that potential comes concern about privacy.
The threat was vividly illustrated earlier this year when allegations surfaced that a little known campaign consultancy, Cambridge Analytica, misused data from millions of Facebook accounts to help Donald Trump win the 2016 U.S. presidential election. That touched off a global debate over internet privacy and triggered speculation other jurisdictions will soon follow the EU in tightening data protection laws.
That is just fine with Meyer, who thinks society needs a new etiquette for dealing with personal data.
"It's like sitting up straight at the table. It's like not talking too loud on the bus," she said. Respect for data "has to get into our culture."