EU Data Protection Authorities have demonstrated their intent to pursue both small and large organizations based domestically and abroad.
The introduction of the General Data Protection Regulation (GDPR) in 2016 established a new global standard for data privacy and protection rights. In simple terms, GDPR is a regulation that enhances the protection of all EU citizens and residents concerning their personal data. Regardless of which country your organization is based in, GDPR may apply to you.
Fines for those who don’t comply with GDPR can be up to €20 million or 4% of global revenue (whichever is greater). Since GDPR enforcement began in 2018, EU’s Data Protection Authorities have issued over €1.3 billion (USD 1.5 billion) in financial penalties to organizations ranging from start-ups to large corporations.
Enforcement has not been limited to EU-based organizations. A small California-based tech firm was recently fined €10 million (USD 11.6 million) for allowing their app to share sensitive location data without receiving explicit consent from users. On May 12th, a Canadian website operator was fined €525 000 (CAD 760,000) for not appointing a local GDPR representative in the EU. Larger US-based tech firms such as Amazon, Facebook, and Google have also incurred substantial fines due to GDPR violations. Regulatory fines are only the tip of the iceberg, as an alleged violation could lead to civil lawsuits or result in reputational damage.
If your organization fits into one of the following two categories, you will likely need to comply with GDPR:
- A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- A company or entity established outside of the EU and is offering goods or services (paid or free) or is monitoring the behaviour of individuals in the EU.
According to GDPR, “personal data” means any information relating to an identified or identifiable natural person. This may include their name, mailing or email address, ID number, location data, an online identifier (i.e., IP address), or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
It is important to note that GDPR compliance is not limited to commercial entities. Non-profit organizations and professional associations collecting personal data from EU citizens and residents must also comply.
The following are examples of scenarios where GDPR may apply, to name a few:
- You operate a website that collects and processes information from EU citizens or residents, such as registration data for product demonstrations and newsletters, or IP addresses via website analytics.
- You provide free or paid subscriptions to software or apps that collect and process the personal data of EU citizens or residents.
- You are collecting and processing personal information from job applicants or employees who are EU citizens or residents.
Let’s face it, properly addressing data protection and compliance is complex, and it’s not going to get any easier. This is particularly true for small and medium-sized organizations which lack the resources to hire dedicated privacy professionals.
Vayle can help. Schedule a no-obligation consultation with one of our Data Privacy Advisors today.