The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) in April 2016. The GDPR requires that businesses protect EU Citizens’ privacy and personal data on transactions that take place in the EU.
The GDPR is going to start being enforced May 25, 2018. Companies are required to protect an individual’s IP address, browser cookie, and RFID tags in the same manner as they would secure that person’s name, address and Social Security number.
The GDPR also includes a right to be forgotten which means that information can be required to be removed from the web. This right to be forgotten can be applied a lot of data, from articles on an arrest to embarrassing photos on social media. In addition to the right to be forgotten, it includes the right for EU web user’s data to be portable. If you have spent years on Facebook and decide you want to close your account and move to a different social network, Facebook is required to provide all of your data to you.
The GDPR also requires companies to report data breaches to proper authorities and the affected individuals within 72 hours of a detected breach. This could be quite a challenge as it can take a while to determine what could have been accessed in a breach. It may also require notifying millions of people.
The GDPR allows for huge fines that can be of up to €20 million or 4 percent of total global annual revenue, whichever is higher, for non-compliance. The GDPR is expected to produce billions in fines each year.
The GDPR not only affects businesses who have a presence in Europe, since with the Internet customers come from everywhere. The EU claims that almost all businesses are subject to this regulation.
Meeting the GDPR requirements will be expensive for companies, with more than two thirds of US based companies surveyed by Price Waterhouse Cooper expecting to spend between $1 million to $10 million to meet these requirements.