Companies are spending millions on their security infrastructure ahead of new European data protection rules, but some worry that the law’s lack of clear technical guidelines may mean that these steps aren’t enough.
The EU’s General Data Protection Regulation, or GDPR, aims to safeguard data-privacy rights by requiring companies to get consent before using personal data and requiring them to store it safely. The law, which goes into effect on Friday, also forces firms to report a security breach within 72 hours and penalizes noncompliance with hefty fines.
One of the challenges for executives is that the legislation doesn’t specify how regulators will assess compliance, making it difficult for companies to decide if they have made sufficient changes to their data policies or invested enough in upgrading their systems.
German sportswear maker Adidas AG ADS, +2.53% , U.K. recruiting firm Hays PLC HAS, +0.86% and French building materials maker Compagnie de Saint-Gobain SA are among the firms wrangling investments to comply with the new laws. Around 60% of companies surveyed by PricewaterhouseCoopers LLP in the fall of 2017 said they would spend more than $1 million on preparing for GDPR, while 12% reported allocating more than $10 million. PwC questioned 300 executives at U.S., U.K. and Japanese firms with a presence in Europe.
Adidas’ digital presence, whether on its online storefront or on social-media platforms such as Facebook Inc.’s FB, -0.52% Instagram, is key to building a stronger relationship with consumers, said finance chief Harm Ohlmeyer. The company began making changes to comply with GDPR in 2016.
Popular on WSJ.com: