The EU General Data Protection Regulation (GDPR) was approved by
the European Parliament as a Regulation that will automatically apply
in every member organization or non-member organization that does
business with EU data subjects and will become effective May 25, 2018.
The GDPR spells out the requirements of organizations, (both collectors
of personal information, “controllers” as well as users of personal
information, “processors”) with the safeguarding of personal data.
These regulations dictate how and what personal data is safeguarded
from unlawful use/breach.
Organizations will face considerably greater oversight and potential
fines for non-compliance. Fines could potentially be up to 4% of an
organization’s annual global sales, up to €20 Million, for some of the
more egregious infringements.
“The extraterritorial reach of GDPR will make it a global mandate. The
GDPR also requires compliance from non-EU organizations that offer
goods or services to EU residents or monitor the behavior of EU
residents. Firms that already comply with existing data protection rules
will need to evolve their privacy practices toward the GDPR, but a large
number of firms will have to tackle privacy rules for the first me. This
includes not only companies that offer products or services directly to
EU residents but also those that operate as part of larger value chains.
For example, a US-based data aggregator that collects and resells EU
customers’ data to other business partners will need to comply fully
with GDPR requirements, rather than simply meeting international
data transfer rules.” (Forrester Brief by Enza Iannopoll)