The big data privacy revolution is here.
General Data Protection Regulation (GDPR) came into effect across the European Union on Friday, changing the way companies around the world collect and handle personal data.
The new law affects any organization that holds or uses data on people inside the European Union, regardless of where is it based. An Indian call center handling customer services for companies that sell products in Europe or a US website tracking browsing histories of Europeans will be impactedd.
The last few days were marked by a huge scramble among businesses big and small to get their new data privacy policies in shape.
Many have not managed that and could now face fines of up to €20 million or 4% of their global annual sales, whichever is bigger.
Research from consulting firm Capgemini showed 85% of firms said they were not ready for the new law to come into effect, and one in four said they won't be ready until the end of the year.
European data regulators have signaled they will take compliance seriously. "Companies that have been making money from our data, have more responsibilities," Vera Jourova, Europe's top justice official, said Thursday.
Privacy advocates have already prepared lawsuits against Facebook (FB), Whatsapp, Instagram, and Google (GOOGL), alleging they are breaking the new rules.
Related: What is GDPR? Everything you need to know about Europe's new data law
Businesses can still serve their customers, send them emails, and collect and store their data. They just need to make sure they have a "lawful basis" for doing so and respect the wishes of people who want to have their data deleted.
If they fail to prove they have been handling data correctly, don't report security breaches within 72 hours, or hold data for longer than is necessary, they face penalties.
European regulators have in the past taken a tough stance of big tech companies not playing by the rules. EU has slapped a €2.4 billion ($2.7 billion) antitrust fine on Google, and fined Facebook €110 million ($122 million) for misleading officials about its takeover of WhatsApp.
Related: Facebook will push privacy alert to users outside EU ahead of GDPR
Experts say that companies that have taken privacy seriously should find the new rules easy to comply with.
"If you are generally good with data protection, you are probably going to be alright with GDPR ... my concern is the companies that have never even thought about this and now are scrambling," said Richard Merrygold, data protection expert.
But for some companies, the expense of making sure they comply with the new rules was simply too much. Several have announced they are retreating from Europe or cutting down on services they offer their European customers compared to the rest of the world.
"The substantial potential fines and enormous effort involved in becoming and continuing to be compliant will clearly act as a deterrent [to investing in Europe]. Ultimately, they may simply decide it's just not worth it," said Chris L. Allyn, a partner at Moye White, a law firm.