GDPR, the General Data Protection Regulation, is an EU directive that takes effect on 25 May 2018, coming into force immediately without further need for ratification by member states. It harmonises data privacy laws across Europe, introducing sweeping requirements for companies handling personal data, and will affect companies whether they handle or process that data internally or externally. It is wide in scope, in that it draws in businesses outside the EU – any that hold datasets on individuals within the EU.
A positive perspective on GDPR is that compliance brings benefits in the form of reduced risk. Carrying out the data audit the regulations require; ensuring the technology that stores and protects it is adequate; giving key individuals responsibility for that data – all these requirements will help manage the threat of data theft. With personal information datasets a target for cybercriminals, compliance is good housekeeping rather than a burden. The other side of that coin is the penalties organisations will incur if breaches occur. If it can be shown that a data theft was a result of a lapse in data protection requirements as defined within GDPR, businesses will face steep fines – the greater of €20m or 4% of global revenues. A high price tag on top of the loss itself and the reputational hit.