Greetings from Brussels,

There were a couple of articles in the Financial Times this week on technology firms and their challenges as they prepare for the GDPR. According to the FT — and common sense — technology companies are starting to assess the cost of the new GDPR rules as they look to get their houses in order ahead of the May 2018 deadline. A recent FT survey revealed that the tech sector is apparently in overdrive in a bid to hire new staff and redesign products as it faces considerably higher costs of doing business under the new privacy regime. The survey was conducted with the top 20 global social media, technology, software and internet firms.

Facebook was one of three companies to say that the initial cost of compliance implementation as a direct result of GDPR was in the region of several millions of dollars. With their international HQ based out of Dublin, the company said that dozens of staff and consultants have been working earnestly to put in place large cross-functional teams to build solutions across the family of Facebook companies, ranging from research and legal through to engineering and product lines. Facebook Ireland’s data protection team will be growing by 250 percent this year to support the GDPR. I have visited the Facebook Dublin office a couple of times over the last three years, and each time, I have noted their visible growth in resource numbers. 

In Europe alone, we have seen a steady increase in recent years in the valuation of the data market, with sales and revenue, according to the European Commission, in excess of 59 billion dollars in 2016; this is forecast to at least double by 2020. This is a clear and present argument for companies in the digital space to innovate and re-engineer their business models and processes. Personal data is driving product enhancement and associated revenues — invariably, customers are becoming the product themselves. GDPR is certainly being viewed by some as possibly the most expensive piece of EU legislation to come into force in some time. Notably, with the changes brought by GDPR in accountability across supply chains, service providers from the cloud to other services are also affected by the new rules, driving wholesale change through data chains across organizations and their external suppliers.

In other news, the FT also reported this week — citing Deloitte analysis — that U.S. and U.K. governments almost doubled their requests to obtain data from technology, media and telecom companies over the past three years. This goes some way to highlight the growing regulatory environment faced by businesses. With the GDPR coming into force next year and granting Europeans increased privacy rights over their personal data, we can expect that this activity will continue to grow, placing important constraints on organizational resources. This will be of concern for business and yet another expression of GDPR compliance cost. The more requests coming into companies will manifest itself as a need for more resource allocations to vet and analyze the validity of those requests. 

This will get expensive.

One only has to recall the Apple case in relation to the San Bernardino terror attack in California to note how serious these requests are taken by companies; eventually, the U.S. government dropped their case against Apple for their refusal to assist the FBI. That aside, with data playing an increasingly integral part of law enforcement both in the U.S. and Europe, if requests are to increase exponentially going forward, efforts for companies to protect data will be stretched to the limit. Their ability to adequately assess risk associated with a diverse set of requests will diminish their ability to battle governments and protect their information assets.

In case you’re not keeping track, you are, as of today, 265 days away from GDPR becoming a reality. Are you GDPR ready?