Tim Cook Wants an American Version of GDPR. Here’s What It Could Cost Your Business
Data privacy is a hot issue–and an expensive one.
PHOTO CREDIT: Getty Images
"Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false," Cook said from the stage. "This crisis is real. It is not imagined, or exaggerated, or crazy."
Later, he added: "Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies."
Europe's General Data Protection Regulation (GDPR) law, which came into effect in Spring 2018, requires compliance for all organizations, regardless of size, that collects data on European citizens. GDPR fines can be up to 4 percent of an organization's global revenue.
Cook called on U.S. regulators to act quickly and adopt these key parts of the GDPR:
- A minimizing of public access to private data.
- The right for users to know what data is collected on them.
- Any user's ability to access, modify, and even erase that data (the so-called right to be forgotten).
- Regulations making sure that data is kept securely.
Everyone wants to keep their personal data out of the public sphere. But what would GDPR-like legislation cost your business?
In the four months since the GDPR became law, several sources have estimated the costs of compliance for European businesses. A 300 CEO survey from Help Net Security found that GDPR compliance for small businesses (with less than nine employees) has cost less than $50,000. For larger organizations (1,000-plus employees) compliance is estimated to cost over $50,000. So if you are a small business selling to Europe these costs must be accounted for. If Cook gets his way, then these costs could hit American ventures selling within the US.
According to a report from SIA Partners, firms set aside 300-450 ($350-$550 in American dollars) per employee on average to implement the GDPR. That report calculates that on average the cost of implementation is 30-80 times the cost of non-implementation.
PwC polled 300 senior executives at American, British, and Japanese companies with European presences. It found that among companies with finalized preparations, 88 percent reported spending more than $1 million on GDPR preparations. 40 percent reported spending more than $10 million. The pattern of increased spending was consistent regardless of company size.
Based on how these sources calculated these costs (and what they included), I see no reason to expect the cost for American business to substantially different.
Will it happen? In short: Nobody knows. Yet.
With data breaches becoming more and more common, it's unlikely that U.S. lawmakers will stay uninvolved--but there's no clear timeline. Perhaps data privacy will become a hot topic for the 2020 elections. Perhaps not.
The state of California recently passed the California Consumer Privacy Act of 2018, which comes into effect in 2020. It shares a lot of the same protections as the GDPR. Will other states follow California? Perhaps. Perhaps not.
No matter when it happens, the question will be: How much regulation is enough? Many pundits see regulation as a deterrent to innovation, a concept Cook rejected wholeheartedly. "This notion isn't just wrong, it's destructive," he said. "Technology's potential is and always must be rooted in the faith people have in it."
So don't take any future legislation as a death knell for your startup's ability to be successful. Just be aware: It might still cost you some serious money.