After several years of refining and debating, the regulation was officially approved by European Parliament on April 14, 2016. The EU then allowed a two-year transition period for organizations to reach compliance. As of May 25, 2018, the GDPR's heavy fines kicked in, to be levied against any business not meeting the guidelines.
Who is affected by the GDPR?
The GDPR has far-reaching implications for all citizens of the EU and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.What sort of data falls under the GDPR?
- Name
- Photo
- Email address
- Social media posts
- Personal medical information
- IP addresses
- Bank details
The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent is required to process any data relating to children ages 16 and under.
The regulation specifies the entities impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens.Penalties for not complying with GDPR
Businesses that fail to comply with GDPR are subject to fines. This can mean different things for businesses, depending on the level of infraction. On the high end, businesses may be required to pay up to 4 percent of their global turnover, or 20 million euros, whichever is highest. Companies may also be fined 2 percent for not taking appropriate measures to keep records in order. Ultimately, the fine depends on the nature of the infraction.Data breaches and the GDPR
A data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users.If a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”
Uncertain politics and the GDPR
In an uncertain political climate, many companies and citizens are concerned about how they will be affected by the GDPR given the undetermined nature of Brexit. Companies operating in the United Kingdom are encouraged to take measures to comply with the GDPR. Although these companies may not be subject to the GDPR, EUGDPR.org states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”If you believe you will be operating in the UK but not in other EU countries, you are still encouraged to prepare for the GDPR as the UK is expected to follow suit with similar data protection legislation.