Attorney-level compliance solution
The legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover
GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). It’s intended to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hand.
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
A common misconception is that only EU users are covered by the protections of the GDPR, however the protections of the GDPR also extend to users outside the EU if the data controller is EU based. Therefore, if you are an EU-based data controller you must, and by default, apply GDPR standards to ALL your users. The GDPR became fully enforceable on May 25th, 2018.
Cross-border Data Transfers
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. In regards to data transfer to the US, all transfers either require that the data processor adhere to the EU-US Privacy Shield or that informed consent is received from the user (in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country).
Consequences of Non-Compliance
The legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater), but perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of GDPR regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of the organization’s data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but the organization may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the improper use was in regards to email address collection, the organization risks being barred from using the entire associated email list.
The GDPR also gives users the right to compensation for any damages resulting from an organization’s non-compliance with regulations, hereby leaving violators open to potential litigation.