Hays (LSE:HAS)
Historical Stock Chart

From Apr 2019 to Apr 2024

By Nina Trentmann 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (May 26, 2018).

Companies are spending millions on their security infrastructure ahead of new European data protection rules, but some worry that the law's lack of clear technical guidelines may mean that these steps aren't enough.

The EU's General Data Protection Regulation, or GDPR, aims to safeguard data-privacy rights by requiring companies to get consent before using personal data and requiring them to store it safely. The law, which goes into effect on Friday, also forces firms to report a security breach within 72 hours and penalizes noncompliance with hefty fines.

One of the challenges for executives is that the legislation doesn't specify how regulators will assess compliance, making it difficult for companies to decide if they have made sufficient changes to their data policies or invested enough in upgrading their systems.

German sportswear maker Adidas AG, U.K. recruiting firm Hays PLC and French building materials maker Compagnie de Saint-Gobain SA are among the firms wrangling investments to comply with the new laws. Around 60% of companies surveyed by PricewaterhouseCoopers LLP in the fall of 2017 said they would spend more than $1 million on preparing for GDPR, while 12% reported allocating more than $10 million. PwC questioned 300 executives at U.S., U.K. and Japanese firms with a presence in Europe.

Adidas' digital presence, whether on its online storefront or on social-media platforms such as Facebook Inc.'s Instagram, is key to building a stronger relationship with consumers, said finance chief Harm Ohlmeyer. The company began making changes to comply with GDPR in 2016. The shoe maker, which already records personal data such as names, partial credit card details and addresses from customers who buy goods on its website, plans to sell more products directly through its own online retail channels; potentially resulting in more personal data held by the company.

"You cannot spend enough to protect yourself," Mr. Ohlmeyer said, declining to provide a figure for the company's GDPR budget. "We have been taking it very seriously," Mr. Ohlmeyer said.

Forrester Research Inc., a research company, said it had anecdotal evidence that large firms allocate on average $20 million to $25 million to become GDPR-compliant, while smaller companies budget $4 to $5 million.

At Saint-Gobain, the French building-materials maker, the cost of becoming GDPR-compliant was "significant," according to Claude Imauven, its chief operating officer.

Saint-Gobain introduced a new data-privacy management platform, overhauled its data-processing procedures and held training sessions for employees, Mr. Imauven said.

The company also deployed 400 so-called privacy correspondents to ensure that data is handled correctly. The company forecasts "additional ongoing costs" because of GDPR, the COO said.

Companies must maintain an updated record of all the EU-based personal information they collect, and incorporate privacy and data-protection controls into their system design. Standard clauses in contracts and other legal documents need to be rewritten, adding to the administrative burden.

Firms have to respond to individual data requests in a timely manner, requiring some of them to hire additional employees, said Russell Marsh, a managing director at Accenture PLC.

Recruiter Hays spent between GBP2 million ($2.7 million) and GBP3 million to become compliant, said Chief Financial Officer Paul Venables. The recruiter started making changes about a year ago to account for how it would handle the more than 10 million individual résumés on file.

"We had to go through our database and sort out those candidates we didn't have meaningful exchange with in the past two years," Mr. Venables said.

The stakes for getting it right are high. Companies which fail to report breaches face a fine of up to 2% of global annual revenue or EUR10 million ($11.7 million), whichever is higher. Firms that process personal data without consent could be fined up to 4% of annual revenue or EUR20 million, whichever is higher.

"It is really hard for companies to forecast how much they should budget for this," said Laura Jehl, a partner at Baker & Hostetler LLP. Some of her clients up until a few weeks ago didn't have a budget for GDPR, she said

Making sure that third-party suppliers conform to GDPR adds another layer of complexity. "We have seen companies ask their business partners and suppliers to demonstrate their GDPR practices," said Enza Iannopollo, a security and risk analyst at Forrester.

Write to Nina Trentmann at Nina.Trentmann@wsj.com

(END) Dow Jones Newswires

May 26, 2018 02:47 ET (06:47 GMT)