The General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018, creates consistent data protection rules across Europe. It applies to all companies that process personal data about individuals in the EU, regardless of where the company is based. Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.
While many of the principles of this regulation build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines. Failure to comply with the GDPR can result in significant fines – up to four percent of global annual revenue for certain breaches. A company that is not able to protect the data of the users is liable to face a maximum fine of €20 million ($23 million), or 4% of the company’s global annual revenue from the prior year, whichever amount is larger. Additionally, since Facebook failed to notify the regulators about the attack within the 3 days of the breach, they could also face a potential fine of 2% of their global revenue. Surprisingly, Mark Zuckerberg and Sheryl Sandberg, Facebook’s COO were also affected by the attack.