Big Companies Stashing Cash Because EU Privacy Regime Compliance Efforts Don’t Come Cheap



Putting aside an extra $1 million for a rainy European Union privacy compliance day appears to be the norm for big companies in the U.S. and U.K., according to a report from international law firm Paul Hastings LLP.

Companies in the U.S. and U.K. are ramping up their efforts to comply with the EU’s new privacy regime, the General Data Protection Regulation, which takes effect May 25, 2018. The looming GDPR has generated  a lot of buzz because of the regulation’s reach to any company that does business in the EU and the possibility of massive fines up to 4 percent of global revenue for non-compliance. Four percent of a multinational’s worldwide revenue could be in the billions of dollars, so a $1 million set aside isn’t really all that much in relative terms.

Some companies have been stockpiling cash to be used in the future to obtain GDPR compliance technology products and for third-party legal support services, according to the Paul Hastings report. The report is based on a survey of 100 general counsel and chief security officers from Fortune 500 companies in the U.S. and 100 general counsel and CISOs from FTSE 350 companies in the U.K. 

Most of the money put away for GDPR compliance has been focused on technological solutions to keep up to date with the regulation’s requirements. The report found that many Fortune 500 companies have each allocated approximately $1 million and FTSE 350 companies have put aside 430,000 pounds ($564,418) specifically for GDPR compliance technology. But only 10 percent of U.K. companies and 9 percent of U.S. companies have actually used the cash to purchase a product, the report found. 

Beyond hiring outside legal counsel and buying GDPR compliance tools, companies are also setting aside money for inside hires “to meet regulatory demands,” according to the report. About 40 percent of FTSE 350 companies and 34 percent of Fortune 500 companies surveyed have allocated funding for such hires. 

Many large companies are “taking GDPR compliance seriously,” but “there remain worrying signs that they may be falling short in planning for implementation,” Behnam Dayanim, partner and global co-chair of the privacy and security practice at Paul Hastings, said in a statement.  

“The clock is ticking” for companies that have yet to budget for the GDPR or haven’t yet started the planning process, Dayanim said. 

However, companies that haven’t started their compliance efforts shouldn’t panic. There is still time to start stockpiling cash, hire outside counsel, and implement GDPR compliance tools before the upcoming May deadline. 

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.