The law grants individuals expanded rights over how their personal information is collected and used, and companies that don’t respect those rights will be subject to potentially huge fines. But much remains uncertain about how it will be implemented by businesses and enforced by authorities.
As a result, it’ll take years for companies affected to truly understand the law’s impacts and costs, according to nearly a dozen executives, lawyers and consultants interviewed by The Innovator.
The law only sets out broad principles, such as the obligation to obtain consent and a requirement that companies define the legal basis for collecting someone’s data. Policy makers intentionally left much about implementation vague, leaving companies to make educated guesses about how to comply. National regulators and the courts will gradually weigh in on whether decisions about GDPR now being made in boardrooms around the world were on the mark or not.
The costs and burden on businesses also depend on other unknowns, such as whether European consumers will decide to exercise en masse their right to obtain a copy of their data from companies. Another question is how aggressively privacy advocates — such as the Austrian lawyer Max Schrems, who won a landmark lawsuit against Facebook — will use the courts as a weapon.
“The GDPR regulation is complex, much more so than existing law,” says Laurie-Anne Ancenys, a lawyer with Allen & Overy in Paris. “It will take years to figure out what it means to be compliant.”

Sourced through from: