LONDON: Leading tech companies, including Facebook, are rushing to hire extra staff and spending millions of dollars as they seek to ensure their products comply with tough data protection laws that the European Union will enforce next year.

The EU’s General Data Protection Regulation (GDPR) will come into effect in May 2018 and it is expected to impact all companies that gather personal information from consumers.

Under GDPR, the definition of “personal data” will be tightened and it is set to dramatically alter the way global tech companies can collect, share and store the data of EU citizens – with fines of up to 4% of global annual turnover imposed on those that fail to comply.

Ahead of the changes, which will still apply to the UK post-Brexit because the rules will be integrated into UK law, the Financial Times surveyed 20 of the largest social media, software, fintech and internet companies to see how well – or not – they are preparing.

According to the FT survey, Facebook is among three companies to report that initial compliance will cost several million dollars while others are hiring extra staff and expensive consultants.

Although these costs are relatively small compared to their global annual turnover, these tech firms suggested to the Financial Times that GDPR could be one of the most expensive pieces of legislation in the sector’s history.

“We have now assembled the largest cross-functional team in the history of the Facebook family of companies,” said a Facebook spokesperson.

“Facebook Ireland’s data protection team will be growing by 250% this year in order to support the GDPR … It is hard for us to put an exact figure on it, but when you take into account the time spent by our existing teams, the research and legal assessments and the fact that we have had to pull in teams from product and engineering, it is likely to be millions of dollars.”

But on top of all that preparation, some experts also believe that it is essential for tech companies to ensure they have a board-level executive in charge of data privacy compliance.

“Companies should have been doing this at board level for some time, but we have a feeling that some aren’t,” said Julian David, Chief Executive of TechUK, an industry body.

However, only six companies – Facebook, Microsoft, TransferWise, Funding Circle, HPE and Cisco – confirmed to the FT that they have a board member in place exactly for this purpose.

Data sourced from Financial Times; additional content by WARC staff