If you haven’t already heard, the GDPR is European Union legislation that gives EU citizens and residents greater control over their personal information. Technically, the regulation went into effect back in May 2016, but we’re currently in a two year grace period that ends tomorrow.
So what’s the big deal? Why are American companies – and their websites you visit regularly – scrambling to comply? The law is incredibly broad in its scope, and impacts companies all over the world. And one the most eye-catching elements is the penalties. For the most serious infractions, businesses can be fined up to 4% of their total annual revenue or $24M, whichever is greater. Not an insignificant amount for a company of any size.
So the deadline is upon is, but what does the future hold? A recent survey reveals that over half of the US-based companies polled are not prepared. Will the Data Protection Authority sweep through, levying substantial fines and making examples of the many companies that are unprepared and noncompliant? Or, much like HIPAA prior to the Omnibus Rule of 2009, will it be more of a symbolic measure with a bark than is far worse than its bite?
Time will tell, but it will likely fall somewhere in between. In spite of numerous calls for one, the Lead Supervisory Authority has not issued any delays since the initial two year grace period, so it appears they’re quite serious about it. The law also prescribes warnings for initial and minor infractions, so it’s unlikely that maximum penalties will be handed down in the short-term.
Either way, it’s a topic that’s making waves and certainly warrants close attention in the coming weeks and months…