The EU's new data-privacy law takes effect Friday. Its reach extends into the Triangle.

Many companies, both large and small, are updating their privacy policies to comply with new European Union rules governing privacy  and data. But companies aren't the only ones that must obey the rules. Duke University, for instance, must because it both employs and serves people from the EU.
Many companies, both large and small, are updating their privacy policies to comply with new European Union rules governing privacy and data. But companies aren't the only ones that must obey the rules. Duke University, for instance, must because it both employs and serves people from the EU.

Red Hat, SAS and other companies that hold data on Europeans have a new set of data privacy rules to deal with as of Friday.

But while the local software giants, like other firms, have had two years' notice of the advent of the European Union's "General Data Protection Regulation" and think they've made a solid effort to comply, they admit the jury is still out on whether they've thought of and covered everything.

"It's got a ton of gray areas to it," said Jay Exum, principal legal counsel for SAS, the Cary software giant that deals in analytics software. "We have done everything we know to do to prepare ourselves to be compliant as of the 25th. But someone trying to answer in a definitive way ... has to make leaps of faith that their determinations in these gray areas are right. I don't think there’s anyone on the planet who can say that for sure."

Similarly at Red Hat, while officials believe the Raleigh software developer "will be compliant" as of Friday, "even the most diligent of companies should be careful not to claim victory" because staying on the good side of the new EU law "requires significant ongoing efforts," said Brian Klemm, the Red Hat senior corporate counsel who's heading up its risk-management effort.

Friday's deadline thus "should be viewed as the starting line, not the finish line," Klemm said.

And at SAS, officials have made sure every employee knows about the new rules because it could be easy to run afoul of them.

For example, if "a sales rep leaves the company, downloads a bunch of information they have on customers and takes it to their next company, that's a GDPR violation," said Todd Wright, senior product marketing manager at SAS. "Will companies try to stop that? Yes."

The General Data Protection Regulation, or GDPR for short, is the EU's answer to the public's worries about data-security breaches, company-to-company data sharing and other issues. It passed the European Parliament in April 2016.

'Right to be forgotten'

Among other things, it includes provisions that tighten consent requirements before companies can process someone's data, and others that give companies just 72 hours to report security breaches. One controversial provision defines a "right to be forgotten," ensuring that the data a company holds about a person is erased if that person withdraws consent or when a company no longer needs it.

The consent rules account for the flood of emails many people have gotten in recent weeks explaining how companies they deal with have updated their privacy policies.

But it's the law's geographic reach that has companies in the U.S. scrambling, both to get in compliance themselves and, like SAS and Red Hat, help their clients do so.

The EU claims authority over the use of data from anyone who's in the EU, wherever in the world that uses occurs. And if a company violates the law's provisions, it can face fines of up to 20 million euros or 4 percent of its annual revenue, whichever is greater.

That threat has "rightly captured the attention" of Red Hat's board and CEO Jim Whitehurst, Klemm said. Whitehurst told attendees of the recent Red Hat Summit that he and Red Hat's board spent an hour reviewing the issue during a meeting earlier that week.

Most industry observers and participants suspect full compliance with the rules — which are stricter than those the U.S. has imposed, particularly when it comes to notification about security breaches — will be more the exception than the norm as of Friday.

An IBM-organized survey found that only about 36 percent of the 1,500 corporate data-security specialists and general counsels it questioned thought their organizations would be "fully compliant by the enforcement date."

U.S. companies 'just learning'

Survey organizers, who work with IBM's Institute for Business Value, likened the situation to "essentially cramming for a test" and speculated that companies lagging behind were reaping the fruits of "a lack of institutional leadership or a desire to take a wait-and-see approach," if not a lack of money to devote to the matter or worry about disrupting business.

SAS did a survey of its own in February and from 180 customers, found that 30 percent from the U.S. and 44 percent elsewhere in the world were strongly confident of being in compliance as of Friday, Wright said.

Among EU companies, "the GDPR has been pretty much a household thing" since its passage two years ago and the "residents there know a ton about it," Wright said. "The U.S. and others are just learning."

For SAS and many other firms, the biggest in-house challenge is simply getting a handle on what sorts of data they're holding and, when necessary, pruning it.

They've had to ask "not only what we have, but why do we have it," Exum said.

And that sort of review often highlights problems that are worth cleaning up for more than just legal-compliance reasons.

"If you understand the exercise to be starting from the ground up, understanding all the processes that interact with personal data, you will inevitably come across things you didn't know you didn't know," Exum said. "You’ll be doing the same business process five different ways [and ask], 'Why do we do that, five is inefficient and hard to manage.' So you identify inefficiencies and improve business processes as you go through this."

The IBM survey hints strongly that there's a divide in the business world between companies and organizations that see the new regulations as more or less a hassle, and those who see it as an opportunity to improve or expand their business.

The "squeezed" vastly outnumbered the "sparked" in that reckoning, with IBM reporting that just 22 percent were "motivated by their GDPR preparations" while the rest seemed "more constrained and less committed."

As it happened, the motivated ones as a group tended to have relatively high annual revenues and, in-house, "a higher level of organizational collaboration" than the others, the IBM report said.

Collaboration's a must in any GDPR compliance program because the necessary work spans offices and disciplines, Exum said.

"It’s not the kind of thing an organization can just go to their legal department and say, 'Fix this or write a contract that gets rid of GDPR risk,' " he said. "It’s more than just IT and legal and HR."

"If a company just leaves it to IT to handle by themselves, it’s a recipe for failure," Wright added. "It has to be a team approach or an enterprise approach and that's the only way a company can feel confident in their GDPR program."

The issue's not limited to the for-profit sector, either.

Duke University, for instance, has to comply with the new rules because it both employs and serves people from the EU. It's "had an internal group working on this for a while that includes representatives from IT, legal, schools and units at Duke," said Michael Schoenfeld, vice president for public affairs and government relations."

Like their counterparts at Red Hat and SAS, Duke officials note that the law has ambiguities that complicate the work.

Though it replaced a set of regulations that dated from 1995, there's so much that's new about the GDPR that companies don't have a body of precedent and accepted interpretations to refer to in helping figure out the answers to some of their questions..

In their absence, "you start looking at things like the worst-case scenario and do those kinds of assessments," Exum said. "It is frustrating because everybody wants to be 100 percent sure. It’s why the confidence numbers you're seeing are relatively low. A lot will be determined on what we see on the enforcement side the next couple of years. As cases come in companies will have to shift and adapt."

And while the GDPR is today's most prominent example of a government exerting regulatory power far beyond it's borders, it's unlikely to be the last one we'll see in the IT sector, he said.

"Data can move at high volumes anywhere across the world," Exum said. "And a lot of our laws and thinking are built on [assumptions that] if you were in Snow Hill, North Carolina, it was unlikely you would be doing anything that that would affect anybody in France. That’s not the world we live in."

Ray Gronberg: 919-419-6648, @rcgronberg