You might keep hearing the term GDPR, and be wondering what it means.
The GDPR, or the EU General Data Protection Regulation, is a new law that is designed to strengthen the privacy and protect data for the citizens of the 28 EU countries.
It affects ALL organisation that collect and store personally identifiable data on EU citizens (i.e. health data, email addresses, photographs, biometrics, social security/national identity numbers etc). Even organizations based OUTSIDE of the EU must comply with the GDPR if they store data on EU citizens. So, even if you only have a single customer from Europe in your database, you are likely to have to comply with the GDPR.
The GDPR was passed as law in the European parliament last year, and enforcement of the regulation will start on the 25th of May 2018.
One of the main purposes of the GDPR is to give authorities greater powers, to take action against businesses that fall foul of the new laws. For example by losing data, or not following the data protection requirements.
The penalty for a violation is up to €20 MILLION Euros *OR* 4% of the annual GLOBAL revenue (whichever is higher). This is of course in addition to any other costs associated with a data breach, for example loss of reputation/goodwill, breach notification costs, credit protection for affected customers, and so on.
So why do you need to know about the GDPR?
If your business uses personal identifiable information, then you will need to be mindful of the GDPR and the implications it could have on your organisation.
This is a the first in a series of posts about the GDPR and the actions your business can take to be complaint.