1. What is GDPR?
2. About GDPR for B2B and B2C
3. When will GDPR be enforced/applied?
4. Who does GDPR apply to?
5. Where does GDPR apply?
6. Does Brexit affect the ruling of GDPR?
7. What is the fine for non respect with the GDPR?
GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive (95/46/EC) with additional requirements that you need to be aware of. The new EU data protection regime extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents.
GDPR makes no distinction between B2B and B2C and applies for both of them. Even though PECR (Privacy and Electronic Communications Regulations) allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.
GDPR will officially apply from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines.
GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers.
It applies to all 28 EU member states and to entities and organisations outside the EU when processing the data of citizens within it.
No. GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. An equivalent set of data protection regulations need to be in place to continue trading with the EU.
The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.