By now, most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which was approved by the EU Parliament on April 14, 2016, and goes into effect on May 25, 2018.
The GDPR replaces the Data Protection Directive 95/46/EC. Organizations found in non-compliance will face heavy fines: €20 million or 4 percent of global revenue per infraction. This could mean millions, or even billions of dollars in fines for large companies.
The new regulation requires companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII) and goes on to define PII as any information that relates to an EU resident’s private, professional or public life (IP address, banking information, email addresses, social media posts and so on). Much of the new regulation goes into making sure that this PII is stored with a person’s permission, used for the specified purpose for which it was obtained and for a duration that makes sense, given the initial reason for obtaining the data.
Unlike previous privacy regulations, everyone fully expects that the GDPR will be enforced on day one with no grace period. Beyond that, the GDPR also allows for the creation of Supervisory Authority (SA) agencies to hear and investigate complaints, who also will have the authority to sanction administrative offenses. You can read the full text here, but I have broken it down to the four main components….
