What Is GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation entered into force on May 25, 2018. One of the purposes of the GDPR is to help people better control their personal data. The regulation applies to all companies established in the EU, as well as to anyone offering products or services to people in the EU even without any presence in the EU; which is why major websites are updating their privacy policies to comply with the GDPR.
Why Is This So Important?
Administrative sanctions according to the GDPR – These sanctions are set at extremely high levels. Sanctions may be as high as 10 million euros, or 2% of worldwide annual revenue of the prior financial year if higher, for breaches related to technical measures: impact assessments, not having a qualified data controller, etc. For noncompliance with key provisions, the maximum fine is 20 million euros, or 4% of revenue. Although it is reasonable to assume that smaller companies may face lesser sanctions, even in such a scenario the levels are still such that some may be unable to pay. Non-monetary sanctions, such as reprimands or temporary bans on processing data (for example, until a technical problem is corrected), may also be applied.
Civil litigation by data subjects, including class actions – The regulation, quite simply, makes it easier for data subjects to sue you. This may result in the expense and inconvenience of fighting a lawsuit in Europe. Civil suits may also add financial burden on top of fines already being levied.
Possible penal exposure on account of laws in the Member States – Some Member States are creating laws that will add further penalties on top of EU regulation to companies found noncompliant. This may result in higher fines or other legal difficulties that might, for example, cause complications for company officials who need to travel to and within Europe.
EU business partners refusing to work with noncompliant businesses – In order to protect themselves from administrative sanctions, some businesses may demand a standard of compliance before they agree to work with you. For instance, the regulation makes it specifically illegal to transfer personal data outside the EU without adhering to a set of provisions, including proper contractual arrangements.
Difficulties and reduced valuation for IPO, investment, and exit – Even the appearance of noncompliance may make investors unwilling to put money into a company or purchase its shares. The same goes for initial public offerings.
In other words, you must make sure you are compliant with the GDPR if it applies to you.