I have national sales responsibilities for one of the majors. Think IBM/Microsoft/Oracle/etc leading a sales team of 74 reps.
You'd be surprised at how LITTLE sales we've generated from GDPR. We've been providing free GDPR assessments for the past 1.5 years for over 200 accounts as lead gen opportunity and very little sales have resulted.
It all boils down to companies simply don't believe the fines will be enforced given just how expensive the fines are.
And since GDPR doesn't go into affect until May 2018, companies are just waiting and seeing what happens.
It's really hard to sell GDPR because it's essentially an insurance policy. Why spend $5m on software and another $5m in services ($10m combined) if your total fine is only $20m. Do you as a company have a 50% chance of getting fined? If not, then roll the dice and not buy a solution.
Speaking as an eng for MSFT, across multiple orgs, GDPR is certainly taken very seriously here.(Probably safe for me to say given [1]) I would expect the big players will all follow through as a CYA because they'd be the first to be made an example of. I think a sister post's comment on lack of sales was probably accurate, since my above reasoning likely doesn't apply to "most small companies" and the effort to comply properly is certainly not negligible, even if you've already assessed the changes that need to be made (frankly that seems like it might be the easy part if you can leverage someone with background on the nitty gritty of the legislation). It will be "interesting" to see how this pans out.
The talk on GDPR has definitely only really taken off very recently. While a year ago it was a few people that brought it up, the reality of the situation is now slowly kicking in as European customers are asking for this.
The fine doesn't absolve you of responsibility for complying. If you're fined you have to pay up AND you have to comply. Otherwise they'll just fine you again, as they did to Google.
Nevertheless, a 4% fine is very low, given the low frequency of fining. Tech firm margins are much larger than this; so while it's clearly unethical to do so, it may be more profitable to simply accept the fines as a kind of tax for as long as possible, and to continue to profit from all that data until things get really dire. In actuality; a firm wouldn't need to choose quite so starkly to flaunt the law; simply failing to invest and dragging your feet looking for impossible have-it-all solutions might well be enough to get away with a few fines until you really try to get your act together.
If you will; it's the difference between the VW approach and those of (as it appears anyhow) all the other carmakers. They're all cheating; most simply were wise enough to avoid doing so explicitly.
Data protection is also harder to enforce than emissions; and just look at how laughably incompetent emissions enforcement is to get an idea of how seriously you're likely to get caught if you happen to collect too much private information.
I expect the same here as in emissions: no real compliance for years (if not decades), and when enforcement comes, it won't be the regulator that actually catches even egregious wrong-doing. I mean; the high-profile players will play lip-service of course, but that's it.
I'm not so sure. And it's not just ad-targetting - all kinds of personalized stuff and simply general purpose data mining suffer too. And don't forget that they wouldn't get the full 4% immediately; and would likely be fined much less than once per year based on current trends anyhow. So that 4% is going to be further diluted.
That's not what has happened so far. The search Engine Results fine of €2.4bn was based on the length and severity of past infringement and they were threatened with a $10m per day fine, equivalent to 5% of global revenue, on an ongoing basis if they didn't comply within 90 days. So they absolutely have been hit with a heavy lump sum fine from day one.
There's no need to theorise about how the EU might enforce such laws, we've got actual examples of them enforcing laws like this already and they do not mess around.
Google's revenue is all about data collection. If they can't collect lots of data, the whole business model is a lot more questionable. In the face of that, 2.4bn once is a trivial fine; consider that that's something like what... 3% of their revenue in one year?
Of course they'll try to avoid that in the future, but the fine is mild enough that it's not going to cause firms to err on the side of caution. They're going to look for the absolute edge of the law.
Frankly, if google had not leveraged their search "monopoly" (not quite a monopoly), I suspect their market cap would have been more than 2.4bn lower; so this was a pure win - especially since conviction and detection aren't a slam dunk.
I read that: the point is that 2.4bn just isn't all that much given what it does to the value of the company. It's probably a risk worth taking as long as you can get away with it. And yes; that means you'll need to eventually adapt - not because 10m a day is necessarily enough to actually enforce that, but also because this kind of stuff is gamable; complying with the ruling without much risk of competition at this point is pretty easy. And you'd need to make the calculation that even if 10m a day were acceptable for the gain, simply ignoring high-profile judgments against you may have worse ramifications down the line.
I'm not saying it's nothing: it's that it's a risk worth taking given the gains. If you're building a trillion dollar company (i.e. google), then eliminating competition or accepting some judicial friction as a way to establish dominance in your (data-mining) field is perhaps acceptable or even wise.
In that, these fines simply aren't punitive enough, especially since they come so late. And again - it's not black and white. The existence of such rules will alter behavior; it's just a question of whether the reaction will be legal mitigation tactics, a company-wide change in approach, or something in between.
Put it this way: if you can corner a market worth trillions, risking how much loss is acceptable to reduce or eliminate competition? I'd venture that these fines are at least one order of magnitude too small to be really frightening (which isn't to say that the behavior google was convicted for deserves that amount, simply that anything less than that means that law can't really be enforced)
Yeah, both my work and my wife's companies are taking it very seriously. The point is at the moment, we all think we can handle it internally: legal is very busy doing prep work that will result in requirements across the business, some of which will result in development work (I'm in the IT department). My wife is busy documenting and preparing requirements too.
What kind of companies do you sell to? Maybe they are actually trying to handle it internally too? What do they say?
I have national sales responsibilities for one of the majors. Think IBM/Microsoft/Oracle/etc leading a sales team of 74 reps.
You'd be surprised at how LITTLE sales we've generated from GDPR. We've been providing free GDPR assessments for the past 1.5 years for over 200 accounts as lead gen opportunity and very little sales have resulted.
It all boils down to companies simply don't believe the fines will be enforced given just how expensive the fines are.
And since GDPR doesn't go into affect until May 2018, companies are just waiting and seeing what happens.
It's really hard to sell GDPR because it's essentially an insurance policy. Why spend $5m on software and another $5m in services ($10m combined) if your total fine is only $20m. Do you as a company have a 50% chance of getting fined? If not, then roll the dice and not buy a solution.