On May 25, 2018 the European Union’s General Data Protection Regulations (GDPR) will come into effect. The GDPR gives residents of the EU more control over the personal data that is collected online by retailers, healthcare organizations, financial institutions, and who knows who else. The GDPR is the result of a concerted effort to create a comprehensive collection of clear yet flexible regulations that give individuals visibility into their personal data footprints, as well as the power to have personal data erased upon request.
The sanctions for non-compliance are stiff, ranging from a cap of €10 million or 2% of worldwide annual turnover (whichever is greater) for preparedness and administrative failures, to double that for actual breaches or significant compliance failures. Each EU member state can add its own penalties for GDPR-related breaches if there’s a gap between the GDPR regulations and their own laws. And individuals can bring civil suits through local jurisdictions if they feel their rights as defined in the GDPR have been breached. In addition to all these financial penalties, an organization that is suspected of noncompliance can be temporarily banned from processing or using data by the GDPR-enforcing Data Protection Authorities.
The GDPR regulations and sanctions apply to all data controllers and data processors (third parties that handle data on behalf of the data controllers, such as public cloud providers) who collect and store personal data related to EU residents — regardless of where the data controller or processor is physically located. This individual-centric approach means that any organization gathering personal data on Europeans, no matter where its corporate headquarters are located, must be GDPR-compliant.