The GDPR is a European Union (EU) data protection law that went into effect on May 25, 2018. The GDPR unifies the EU under a single data protection regime for all member states and requires organizations to safeguard personal data and uphold the privacy rights of anyone in the EU.
The GDPR applies to the processing of personal data (Art. 2 GDPR). Thus, only data relating to an identified or identifiable natural person is protected. Data relating to a legal entity, e.g., trade secrets or corporate confidential information, is not protected. However, the definition of personal data is very broad (for example, online identifiers and IP-addresses are personal data).
"Processing" is also defined broadly as well. Almost everything that is done with data, including collection, storage, use and transmission is covered as well as the transfer of personal data within group companies.
The GDPR outlines seven principles for the lawful processing of personal data, including:
Any member state's data protection authorities can enforce the GDPR. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. The authorities can also impose a temporary or definitive limitation including a ban on data processing.
In addition to such fines by the authorities, claims for nonmaterial damages by data subjects are on the rise.
The authorities are becoming more and more active and are imposing heavy fines, for example:
The first years of GDPR enforcement have shown that the authorities focus on topics such as marketing, information obligations and on whether companies have taken sufficient technical and organizational measures.
To identify (at a high level), your organization's current state of GDPR compliance, see our GDPR Readiness Assessment Tool.