The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive (DPD) 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
GDPR covers all personal identifiable information (PII):
The most significant fine imposed under GDPR will be 4% of a company’s global revenue or €20 million (whichever is greater). This is reserved for companies found to have failed to implement basic security measures. The second largest fine is 2% of global revenue or €10 million (whichever is greater), to be handed down to any organisation who fails to notify the relevant authorities as well as the individuals affected after a breach has been detected. An undefined strategy for breach notification can be very expensive mistake for an organisation under the new legislation. A harder cost to quantify but still substantial and potentially detrimental for an organisation is the irreparable damage a breach can cause to a brand.
GDPR states that any company regardless of whether they have a physical presence within the EU, who collect data about EU citizens through a website or any other means must adhere to all requirements of GDPR. For example if a company is headquartered in the US, has EU customers or collects data from EU citizens GDPR legislation and fines associated with non-compliance apply. The location of the server is not applicable. If the server is located outside the EU but the data belongs to an EU citizen, fines under GDPR will apply. In summary the new regulations will extend beyond the boundaries of the EU including the US and a post Brexit UK. If you are doing business within the EU zone or hold data belonging to EU Citizens GDPR must be adhered to.
Contacts us to find out how our consultancy an security services can help you meet the GDPR requirements.