Who will be ensnared first by new EU data-protection rules?



Our research has found that up to 50% of firms may not be prepared to follow the EU’s tough new GDPR law, which is set to take effect in May. But stiff financial penalties aren’t the only risk for businesses that aren’t properly guarding their customers’ digital data.

Key takeaways
  • The EU’s General Data Protection Regulation is set to take effect on 25 May 2018; any company doing business in the EU must comply or risk large fines
  • Our research has found that many large firms are already GDPR-compliant, but many small- and medium-size businesses aren’t
  • It’s not entirely clear how GDPR compliance will be enforced at first, but we believe regulatory actions could gain steam quickly after a slow start
  • Firms that don’t comply with GDPR could be hit with more than steep fines – including lawsuits, damaged reputations and a loss of access to digital data

Why aren’t more companies ready for GDPR?

A major piece of European Union business regulation – the General Data Protection Regulation (GDPR) – is set to take effect on 25 May 2018, and a large number of companies seem not to be prepared. Given what’s at stake, we find this surprising: we are living in an increasingly data-focused world, and EU regulators have clearly told companies they must fundamentally rethink their approach to data privacy or face significant consequences.

When we first wrote about GDPR (“New EU data-protection rules are serious business”; August 2017), that approximately 60% of companies doing business in the EU were slow to adopt the new rules. As the May deadline approaches, we estimate that a full 50% of firms are still not fully compliant. Most companies fall into one of two camps:

  • On one side are the large companies that have already put in place the necessary measures to comply with GDPR. These firms are used to dealing with onerous compliance issues and can absorb related costs.
  • On the other side are the many small- and medium-size enterprises that are hobbled by the complexity and substantial financial burden of these measures: the cost of compliance can easily reach several hundred thousand euros. Perhaps this explains why one recent report out of the UK suggested that fewer than one in ten small businesses in Britain are fully prepared for GDPR.

Limitations of local regulators

One mitigating factor for this lack of preparedness is that the GDPR legislation is not entirely clear about how regulatory requirements will be interpreted, nor how compliance will be enforced. Adding to the complexity is the large role played by each EU member state’s Data Protection Authority (DPA) in enforcing GDPR. The individual DPAs have many responsibilities but limited resources, and this is creating a bottleneck at the enforcement level. Perhaps this has reassured the many businesses that are still not GDPR-compliant that they need not have a sense of urgency.

However, after 25 May, the DPAs across Europe will be able to work together to apply their investigative powers. As a result, many legal experts are recommending that their clients step up their compliance.

As to the question of how quickly GDPR will be enforced, some experts look to the implementation of the EU antitrust law for an example. When it launched in 2004, the European Competition Network (ECN) began enforcement by focusing on only a few large, symbolic pilot cases. But as the ECN expanded its capacity for antitrust investigations over the years, it moved on to broader sector enquiries. Today, more than EUR 3 billion in fines are collected each year, making commissioner Margrethe Vestager one of the most feared regulators in Europe.

GDPR enforcement could take off much more quickly than these earlier antitrust efforts. Last year, DPAs initiated several notable cases at the national level – including a German case against a big data-consuming firm – with an eye on expanding them to the EU level once GDPR is enforceable. Moreover, the fines that regulators collect as they go could be used to finance additional enforcement actions, potentially creating a “snowball effect”.

Why GDPR matters to investors

GDPR monetary penalties could reach 4% of a company’s global revenues in cases of severe violations, but this may not be the biggest risk for corporations:

  • Class-action suits and negative headlines could trigger a loss of customer trust; once lost, trust is extremely difficult to win back.
  • A company on the receiving end of GDPR action could face rising costs to access data.
  • A company found guilty of the most egregious GDPR violations could even be banned from using data; this could significantly affect its business model, financial outlook and stock-price valuation.

One only needs to look to the US to see very real examples of what diminished public trust is doing to some of that country’s Big Tech firms. More importantly, the increased focus on data privacy is going global. Consumers worldwide are paying greater attention to their digital rights, and we believe it won’t be long until other countries join Europe in setting strict rules to define and defend data privacy.


Investing involves risk. The value of an investment and the income from it will fluctuate and investors may not get back the principal invested. Past performance is not indicative of future performance. This is a marketing communication. It is for informational purposes only. This document does not constitute investment advice or a recommendation to buy, sell or hold any security and shall not be deemed an offer to sell or a solicitation of an offer to buy any security. The views and opinions expressed herein, which are subject to change without notice, are those of the issuer or its affiliated companies at the time of publication. Certain data used are derived from various sources believed to be reliable, but the accuracy or completeness of the data is not guaranteed and no liability is assumed for any direct or consequential losses arising from their use. The duplication, publication, extraction or transmission of the contents, irrespective of the form, is not permitted. This material has not been reviewed by any regulatory authorities. In mainland China, it is used only as supporting material to the offshore investment products offered by commercial banks under the Qualified Domestic Institutional Investors scheme pursuant to applicable rules and regulations. This document is being distributed by the following Allianz Global Investors companies: Allianz Global Investors U.S. LLC, an investment adviser registered with the U.S. Securities and Exchange Commission; Allianz Global Investors GmbH, an investment company in Germany, authorized by the German Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin); Allianz Global Investors Asia Pacific Ltd., licensed by the Hong Kong Securities and Futures Commission; Allianz Global Investors Singapore Ltd., regulated by the Monetary Authority of Singapore [Company Registration No. 199907169Z]; Allianz Global Investors Japan Co., Ltd., registered in Japan as a Financial Instruments Business Operator [Registered No. The Director of Kanto Local Finance Bureau (Financial Instruments Business Operator), No. 424, Member of Japan Investment Advisers Association and Investment Trust Association, Japan];and Allianz Global Investors Taiwan Ltd., licensed by Financial Supervisory Commission in Taiwan.


About the author

Marie Rupp

Marie Rupp

Senior Sustainability Analyst



A Grassroots® Research study shows that more than 80% of IT decision makers in the US plan to spend more on information tech this year, thanks in large part to recent tax reform. Almost three-quarters said their organisations have at least one or more artificial intelligence-related projects in progress.

Key takeaways

  • The IT spending environment is looking strong for 2018, according to a recent Grassroots® study of IT decision makers in the US
  • Most of the approximately 200 survey respondents said their overall 2018 IT budgets are expected to increase
  • IT security is by far the highest spending priority for 2018, with AI one of the primary focus areas over the next five years