European organizations are stepping up efforts to prepare for a compliance bombshell the EU dropped back in April, 2016. The new rule, called the General Data Protection Regulation (GDPR), replaces the Data Protection Directive that has been in place since 1995. This imposes new data management requirements designed to provide better privacy and protection for consumers. GDPR compliance does not apply only to businesses within the EU. It also applies to companies anywhere in the world outside of the United States that collect personal data from EU residents.
Perhaps the most discussed aspect of the GDPR regulation is that it also mentions fines for breaking the rules. The Data Protection Directive only stated that sanctions for non-compliance are defined by EU member states. In contrast, the GDPR defines exactly what administrative fines can be incurred for violating these rules.
Under GDPR organizations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, with a a tiered approach to fines. For example, a company may be fined 2% for not having their records in order.
What’s more, these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.