Business is booming for software and privacy experts as companies across the globe spend millions of dollars to comply with a landmark European data protection law, even as many uncertainties remain about how the rules will be enforced.

The General Data Protection Regulation (GDPR), which goes into effect in May, is the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information and applies to all companies that do business with Europeans.

The industries most deeply affected will be those that collect large amounts of customer data, and include technology companies, retailers, healthcare providers, insurers and banks.

The law has a slew of technically complex requirements, and threatens fines of as much as four per cent of a company’s annual revenue for those who fail to comply. Firms must be able to provide European customers with a copy of their personal data, and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

The cottage industry that has developed around the GDPR includes lawyers who advise on compliance, cyber security consultants, and software developers that help firms conduct painstaking inventories of vast amounts of data to identify and index information so it can be made available to Europeans at their request.

New York legal services firm Axiom, for example, told Reuters it had more than 200 data privacy lawyers working on GDPR projects – about a sixth of all its lawyers.

It said it would hire over 100 more staff this year to deal with the GDPR and also create training programmes so that more of its lawyers would be qualified to work on these types of projects.

Wim Remes, a cyber security consultant in Brussels, said he was fielding about a dozen GDPR-related calls per week. His clients are based in Europe and the Americas and include retailers and technology firms.

He said American companies had been slower off the mark to respond to the GDPR than their European counterparts and were now scrambling to catch up. “In the last two or three months, the demand has mostly been from US organisations,” he added.

The costs are substantial: among 300 big companies in the process of becoming GDPR compliant, 40 per cent said they had spent more than $10 million, and 88 per cent said they had spent more than $1 million, according to a PwC survey of American, British and Japanese executives published in September.

“People really aren’t picking up the phone for less than $1.5 million to $2 million,” Gant Redmon, programme director of cyber security and privacy at IBM Resilient, said of legal and software consultancy firms advising on the GDPR.

The work will not end on May 25, when the GDPR kicks in, as companies will be required to provide regular data audits for EU authorities to prove they are compliant. Companies that handle especially sensitive information will have to hire a data protection officer.

Lingesh Palaniappan, CEO of Grit Software Systems, described the work he’s doing on GDPR compliance for a mid-sized software company as a grueling manual process. His staff has to go through every software application and database and record details such as the exact type of data they contain - whether it be names and addresses, or more personal information like medical records - and who has access to it. The team builds charts to keep top management informed on how far along the company is in its GDPR compliance process.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.