BRUSSELS—The European Union’s tough new data-protection law demands costly changes for many companies—and opens rich business opportunities for others.
A cottage industry around privacy technology has sprung up in recent years, with firms offering new products and services designed to help companies more efficiently meet the demands of the EU’s General Data Protection Regulation. In an unexpected twist, some of those compliance tools could create additional legal risk for the companies using them, experts say.
From May 25, GDPR will replace the EU’s patchwork of 28 different sets of national privacy laws and boost penalties for corporate privacy violations from token amounts now to potentially billions of euros.
“We’re seeing a huge development in privacy tech as a direct result of the GDPR,” said Paul Jordan, European managing director for the International Association of Privacy Professionals, a nonprofit group supporting industry participants world-wide.
According to a report prepared last year by IAPP and Ernst & Young, more than half of the 600 privacy professionals they surveyed said they would invest in technology to help manage personal data and comply with GDPR, up from 29% the year before.
The privacy-tech firms are offering tools and services that include collecting consent from users to process their data, helping companies map their internal data flows and automating tasks like responding to a data breach.
Under GDPR, firms often need clear and unambiguous consent from users to process their personal data. Data breaches must be reported to authorities within 72 hours. Customers also will have the right to see what data companies hold on them and can request some of it to be deleted. Companies that violate the rules risk fines as high as 4% of their global revenue.
The EU regulation is taking effect amid broader questions about how internet giants use people’s personal information and profit from it through targeted advertising. Facebook Inc. came under fire earlier this year following revelations that the social network allowed personal information of as many as 87 million users to be obtained by data-analytics firm Cambridge Analytica.
Under the new rules, tech giants and other companies will come under greater scrutiny, requiring them to overhaul their privacy systems. The exhaustive demands and threats of high fines have led companies to seek external help.
“The reason there’s reg-tech business around GDPR is that GDPR requires a lot of technical [modifications] for a company to comply with it,” said Roy Smith, chief executive of PrivacyCheq, a York, Pa.-based company that helps firms collect users’ consent. When privacy laws changed in the past, he said, companies would simply hire a lawyer and update their privacy policies.
London-based Privitar, which offers tools to remove personal identifiers in large data sets, was officially set up in 2014 but has seen an increase in interest from potential clients ahead of GDPR and expects growing momentum in the coming years, says CEO Jason du Preez.
The mushrooming of privacy-tech and regulatory compliance firms for GDPR follows an earlier proliferation of compliance specialists focused on heavily regulated industries such as financial services. A report last year by data-analysis firm CB Insights said equity funding for such firms since 2013 had reached roughly $5 billion in 585 deals.
The firms promote their ability to simplify compliance but specialists say they can pose additional compliance risks. One issue can be software tools, said Georges Wantz, a director of technology and a GDPR expert at Deloitte & Touche in Luxembourg. Most of them monitor people in the workplace, he noted, “which in itself is a processing activity of personal data and an intrusive one.”
Other privacy experts and regulators warn that the privacy-tech products may duplicate data or collect more of it, increasing the compliance burden. And many vendors are startups that may lack mature data-management systems of their own.
Privacy-tech firms say they are ready. PrivacyCheq says it doesn’t see or touch any of the private information that people are consenting to release. Privitar says it doesn’t take any customer data and circumvents the risk because it only provides software. Wirewheel.io, based in Arlington, Va., offers tools to help companies locate the data they have and says it doesn’t retain any personal information.
Dale Sunderland, a deputy commissioner at Ireland’s data protection agency, said he and his team have seen some “good, positive tools” on the market to help smaller companies protect their data. Still, he warned companies to ensure the privacy-tech firms they work with are reputable and actually have the expertise they tout.
—Sam Schechner in Paris contributed to this article.
Write to Natalia Drozdiak at natalia.drozdiak@wsj.com
Appeared in the May 21, 2018, print edition as 'Privacy Tools in Demand.'