Companies brace for European privacy rules

U.S. companies are largely unprepared for what's about to hit them when sweeping new EU data laws take effect next year. The regulation — the General Data Protection Regulation (or GDPR) — is intended to give users more control of how their personal data is used and streamline data processes across the EU. Companies that fail to comply with the complex law will face steep fines of up to 4% of their global annual revenue.

Why it matters: Europe has by far taken the most aggressive regulatory stance on protecting consumer privacy and will in many ways be a litmus test for regulating the currency of the data economy. It impacts a huge number of businesses from advertisers to e-commerce platforms whose data flows through EU countries. That means everyone from Google to your neighbor who sells shoes on eBay could be affected.

Compliance challenge: Firms in all sectors are dealing with more data than ever before, so managing it requires more resources. Experts tell Axios that complying with the law is a daunting and expensive task for many companies. Niche legal firms are cropping up to help companies deal with it.

"People aren't fully ready for managing this," said Hilary Wadell, general counsel and chief of data governance at TrustArc. "A lot of organizations are still trying to wrap their arms around appropriate data governance and to understand the types of data they have and how it is used." According a recent TrustArc survey, 61% of organizations haven't even begun implementation.

Tech watch: Companies in all sectors will have to comply, but tech companies in particular will have steep climbs. "Were going to see innovative things from Google and Facebook in terms of how they deal with it," says David Downing, EVP at ASG technologies. On its Q2 earnings call, Facebook COO Sheryl Sandberg told investors that when they look at regulatory issues, including GDPR, they make sure those regulators understand how Facebook contributes to economic growth in their countries.

The EU perspective: Wojciech Wiewlorowski, Assistant Supervisor for the European Data Protection Supervisor in Brussels, stressed that the regulation won't slow down innovation or the flow of data. Rather, it's a necessary step to deal with the explosion of the data economy in a "civilized" way — similar to how society had to impose rules on automobile traffic.

"The road code [was] created in order to facilitate the way that we transport things and transport people," he said on a call discussing the GDPR implementation. "But, of course, in some ways it limits the way that we try to invent solutions. This is the kind of price we pay for a civilized way for the flow of personal data in the world."