On May 25, 2018 – less than a year from now – the EU will put into effect one of the most far reaching and punitive measures dealing with digital privacy. The General Data Protection Regulation - GDPR - is literally privacy on steroids and far beyond what we have ever seen.
A long list of identifiers (aka Personally Identifiable Information or PII) now fall within the purview of this regulation. In addition to the more recognizable PII like name, gender, sexual orientation, location data, economic, cultural, and economic data etc. we can now add IP addresses, genetic information and even biometric data.
Further, any EU resident may request access to their data and is entitled to enforce the “Right to be forgotten” whereby their personal data must be erased. The catch is that such erasure needs to occur from every instance where such data may have been shared! In cases where the data is deemed inaccurate, the data subject can enforce the “Right to restrict the processing of personal data”. Data subjects have the right to data portability and even to object to be evaluated based on automated processing systems. The list is very long indeed.
The law applies to any company doing business in the EU, and not just for companies based in the EU.
Breaches must be disclosed within 72 hours and if you have second thoughts about complying with the regulation, consider the penalties: 4% of global gross revenues or € 20 million – whichever is higher!
Based on 2016 revenues, a fine for Apple would be $ 8.6 billion. Think they are not going to take this seriously? Unlikely. By some estimates fully 95-98% of US companies doing business in the EU, are not prepared and are not on track to become compliant by May 2018. A frightening prospect.