The EU GDPR is the most significant step toward data privacy of personal data. First announced in 2012 and formally approved by the European Parliament on April 14th, 2016, this Regulation came into force on 25 May 2018.
A significant point to be noted is that the GDPR harmonises the data protection laws across the EU and repeals the existing Data Protection Directive which has been rendered insufficient given the significant changes and privacy concerns over the past decade. This new regulation is directly enforceable without any further legislation by EU member states.
GDPR gives data subjects considerable power and rights over their data. It is the data subjects and not the data controller and processor that own the data. Data controllers and processors must now be extremely careful in the way they handle and process the personal data and non-compliance will result in a hefty penalty of up to € 20 million. Avoiding compliance and risking these financial penalties is by no means a viable strategy.
GDPR significantly affects all businesses and increases the possibility of risks, including operational, financial and reputational risks.