EU law leaves firms scrambling

New rules mandate consumers’ consent for data collection

LONDON -- Lisa Meyer's hair salon is a cozy place where her mother serves homemade macaroons, where children climb on chairs and customers chat above the whirring of hairdryers.

Most of the time, Meyer is focused on hairstyles, color trends and keeping up with appointments. But now she's worried about how the European Union's new data protection law will affect her business as she contacts customers to seek permission to store their details.

Even though she supports the law, Meyer fears it may cut her mailing list by 90 percent as people choose to withhold their data or simply overlook her emails.

"It will be difficult to market upcoming events," she said at her shop, Lisa Hauck Hair & Beauty in London.

Businesses such as pizza parlors and airlines across the EU's 28 countries are bombarding customers with emails seeking consent to use personal data as they rush to comply with the bloc's General Data Protection Regulation, which takes effect Friday. While much of the attention has focused on how technology giants like Facebook and Google will comply with the rules, consumers are learning firsthand that they apply to any firm, large or small, that stores personal data.

The new rules, called GDPR for short, are designed to make it easier for EU residents to give and withdraw permission for companies to use personal information, requiring consent forms that are written in simple language and are no more than a page long. Companies that already hold such data have to reach out to customers and ask for permission to retain it. Authorities can fine companies up to 4 percent of annual revenue or $23.6 million, whichever is higher, for breaching the rules.

As a result, email inboxes all over the continent are being swamped with messages from opticians, hotels, greeting card companies and even charities that fear stiff penalties for noncompliance.

In an effort to rise above the clutter, some companies are trying to spice up their approach as they try to ensure continued access to information vital to their businesses.

The St. Pancras Hotels Group promises that "only nominated people have access to your details, and they are kept really safe, guarded by our very own British Bulldogs. And a rude punk rocker." Britain's Channel 4 television offered up a video featuring one of the country's best-known comedians explaining the new rules and how they will affect viewers.

Many, including France's mobile operator Bouygues, are using animations to explain the rules.

Regulators say the law applies to anyone who collects, uses or stores personal data. That can be a burden for small businesses that are forced to hire outside lawyers or consultants because they don't have the staff or expertise to deal with the law.

The EU's one-size-fits-all approach is one of the flaws in the law, according to Max Schrems, an Austrian privacy advocate who has formed a nonprofit to take action against big companies that deliberately violate the new rules.

When the rules were being discussed, industry lobbyists sought to weaken the law by creating uncertainty, and as a result there are no clear guidelines that exempt small companies, Schrems told the BBC recently.

"GDPR is a prime example of corporate law gone wrong because it's helpful for big companies," he said. "They have to do all of this anyway, and they can use the uncertainty in the law to kind of get around things. But it leaves small companies that don't ... have a law department, or something like that, in a situation with a lot of uncertainty."

Meyer falls under the new rules' jurisdiction because she keeps data. Like many hair colorists, she keeps a card on each of her clients that notes whether they are allergic to any chemicals used in the dyes. That's considered personal medical information that must be protected.

She took a data protection course to learn about her obligations and to avoid legal bills.

"I find it actually quite scary how data is being used so carelessly," Meyer said. "It's a good wake-up call. It's made me more aware."

But many others have been caught off guard.

A survey by the French consulting company Capgemini says that 85 percent of European firms will not have completed their preparations by the time the law takes effect. It found that British businesses were the most advanced and Swedish ones had the most work to do.

A survey conducted by Britain's Federation of Small Businesses estimates that complying with the rules will cost an average of $1,390 per company.

"For a small business, it's hugely onerous," said Mark Elliott, who runs the digital marketing company Sparks4Growth Ltd. He said he knows other small-business owners who are worried about the extra red tape and costs of complying with the law.

"I think, quite simply, they left us open to the lions," he said of regulators.

EU officials say the law is necessary to catch up with all the technological advances since 1995, when the last comprehensive European rules on data privacy were put in place.

As technology advances, data become more important. The ability to analyze data holds enormous potential, with suggestions it will make us healthier, improve traffic flows and help scientists learn more about the movements of endangered species, to name but a few possibilities.

But with that potential comes concern about privacy.

The threat was vividly illustrated earlier this year when allegations surfaced that a little-known campaign consultancy, Cambridge Analytica, misused data from millions of Facebook accounts in its work for Donald Trump during the 2016 U.S. presidential campaign. That touched off a global debate over Internet privacy and triggered speculation that other jurisdictions will soon follow the EU in tightening data protection laws.

That is just fine with Meyer, who said she thinks society needs a new etiquette for dealing with personal data.

"It's like sitting up straight at the table. It's like not talking too loud on the bus," she said. Respect for data "has to get into our culture."

Business on 05/22/2018

Upcoming Events