Talk about the long arm of the law! The European Union’s General Data Protection Regulation, or EU GDPR for short, aims to protect the privacy of the personal data of European citizens, wherever that data is processed, or wherever the organisation collecting or processing the data is based.
So, for example, if your Sydney or Melbourne based ecommerce enterprise sells online to consumers resident in any of the European member states (there are 28 of them), you must respect the EU GDPR too. If you do not, the consequences could be serious.
The General Data Protection Regulation shows how thinking about data and security has evolved in the digital age. Geographical boundaries have been supplemented by digital boundaries. Personal data is a new virtual domain that straddles physical country borders and that carries with it its own rules of conduct.
The good news is that GDPR can reduce efforts needed for European compliance because it applies across all the member states in the same way. However, extra compliance effort may be needed elsewhere as GDPR introduces several new rights for European citizens and their data privacy. The “right to be forgotten”, “right to data portability”, and “right to object to profiling” are examples.
Non-compliance is sanctioned by fines of up to 10 million euros or 2% of annual global turnover (whichever is higher).
Infringement of GDPR principles or violation of personal data privacy can attract fines of up to 20 million euros or 4% of annual global turnover (again, whichever is higher). Clearly, European policy and lawmakers want to send a strong message about ensuring that European citizens remain safe and secure at all times in terms of their personal data.
GDPR is the furthest reaching data protection law yet defined. It is already in effect, and enforcement will begin from 25 May 2018.