For small companies, doing business in Europe may not be worth the cost

May 17, 2018

Europe’s new data regulations apply to companies large and small, but do tech’s little fish have a big disadvantage? The General Data Protection Regulation has already taken effect and will start being enforced later this month. Some big companies have added staff and software to comply, but smaller businesses may not have the cash to keep up. Marketplace Tech host Molly Wood spoke with Jessica Lee, partner with the law firm Loeb & Loeb, about just how much businesses are spending on compliance. The following is an edited transcript of their conversation. 

Jessica Lee: You know, that's tough. I've heard numbers anywhere from $1 million to $10 million. And for the big companies, the Googles and Facebooks of the world, you're probably looking into well above that $10 million number. And that cost comes two ways: some of it is with legal advice, and some of it is with the technical implementation.

Molly Wood: Given those costs ... what are we seeing smaller companies do? How do the responses run the gamut?

Lee: I think that small businesses are just trying to do this to scale. And if you think about the Googles of the world, if you have a data subject request, someone wants to have their information, they want to get a copy of it, they want to get it erased. Think about the volume of calls or requests that a company like Google could get on any given day. That's massive. They need to automate that. A smaller company might be able to find a more manageable approach in terms of either doing it manually or having some automated response but that takes place on a smaller scale.

Wood: Are you hearing about companies, small businesses, who are saying, "This changes our expansion plan, we're going to not do business in Europe because it's just too risky right now"?

Lee: I have. But it depends, of course, on the business itself and what the value proposition is. There are some companies I talked to where the revenue stream that's coming from the European arm of their business just isn't big enough to make it worthwhile. But some companies have a long-term plan to expand into Europe, and depending on where they are, it may or may not be worth it to take on the burden or cost of complying with the GDPR.

Wood: And then what about companies who are just saying, "It's a little confusing, we're pretty sure they're going to go after Google and Facebook first"? You know, are you hearing about companies who are just deciding not — just to ignore it for the moment?

Lee: I've heard a little bit of that, but I'm trying to counsel away from that. You know, I think there can be a tiered approach. What we've heard from regulators is that they want to see a good-faith effort to comply with the law. Particularly if you're a small business owner, I think there's some sympathy for that position. I think that there will be a proportional approach taken to how fines are imposed. And so if you're a small company, if you can say, "OK, here's our universe of data, here are the things we think we need to do. Here's what's feasible now and then here's a roadmap for what we can do going forward." That at least gives you some cushion to make an argument that says, you know, we took this seriously.

Wood: And then is it fair for some of these companies? The argument from some of these smaller companies has been, "Look, Facebook and Google and Microsoft, they've got the money to absorb these compliance costs, and this primarily hurts companies that don't have the resources."

Lee: I mean, I definitely understand that complaint. You know, I think another approach is to take a look and see what data do you actually collect? What do you actually need? Can you reduce your risk by anonymizing or pseudonymising the data? Can you encrypt it? Are there steps you can take so that what you're doing is less risky, so that you're not operating at the same risk level that the Googles and Facebooks of the world are operating at?

Wood: Have you had any companies come to you in the last couple of weeks and go, "Hey, so I heard about this GDPR thing. Seems like a big deal. Can you help me?"

Lee: You can take by my laugh that that might be the case. But there are still things to do.