The General Data Protection Regulation (GDPR) was approved by EU Parliament back in May 2017. The GDPR, in a nutshell, was designed to replace an inconsistent set of data privacy laws with a comprehensive law that protected all European Union residents. Please click here for my original post on the GDPR. While the GDPR has been in effect for over a year, the law gave companies until May 25, 2018 to comply. Well, that deadline has come and gone. If you fail to comply, regulators can impose a fine of up to 4% of worldwide revenue. This is NOT a typo! 4% of worldwide revenue up to 20 million euros.
Currently, there are no grace periods if your company still has not complied with the GDPR. Additionally, as the ability to enforce compliance is less than 1 week old, there is no precedent out there that we can use as guidance. Regulators for EU member states have indicated different going forward approaches to enforcement. While one state regulator has inferred that even if full compliance has not yet been achieved, the efforts made to attain compliance will be taken into account as a mitigating factor. Alternatively, other state regulators have simply stated that if we have reason to impose a fine we will impose a fine. In this regard, the newly created European Data Protection Board was recently created.