Why business is booming for experts in data privacy

San Francisco — Business is booming for software and privacy experts as companies across the globe spend millions of dollars to comply with a landmark European data protection law, even as uncertainties remain about how the rules will be enforced.

The general data protection regulation, which goes into effect in May, is the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information and applies to all companies that do business with Europeans.


The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

The law has a slew of technically complex requirements, and threatens fines of as much as 4% of a company’s annual revenue for those who fail to comply. Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

The cottage industry that has developed around the general data protection regulation includes lawyers who advise on compliance, cyber security consultants, and software developers that help firms conduct painstaking inventories of vast amounts of data to identify and index information so it can be made available to Europeans at their request.
New York legal services firm Axiom, for example, said it had more than 200 data privacy lawyers working on projects related to the regulation — about a sixth of all its lawyers.
Wim Remes, a cyber security consultant in Brussels, said he was fielding about a dozen regulation-related calls a week. His clients are based in Europe and the Americas and include retailers and technology firms. US companies had been slower off the mark to respond to the regulation than their European counterparts and were scrambling to catch up, Remes said.

The costs are substantial: among 300 big companies in the process of becoming compliant, 40% said they had spent more than $10m and 88% said they had spent more than $1m, according to a PwC survey of US, British and Japanese executives in September.
"People really aren’t picking up the phone for less than $1.5m to $2m," Gant Redmon, programme director of cyber security and privacy at IBM Resilient, said of legal and software consultancy firms advising on the regulation.

Reuters