The General Data Protection Regulation (GDPR) is a broad and comprehensive European Union (EU) data privacy law that went into effect on May 25. This is a great example of the law trying to catch up with the technology and our digital lives. In essence, GDPR is creating fundamental digital rights for EU residents and compliance is mandatory for organizations controlling and processing the personal data of EU residents. Thus, the scope of the law applies to entities outside the EU if they offer goods or services to EU residents, or monitor the behavior of EU residents. For example, if a U.S.-based social network or e-commerce website processes personal data of an EU resident, they would be subject to the GDPR law. This is a progressive law that should eventually be adopted in some form in the United States. Privacy and data protection is at the heart of the regulations. GDPR further requires that companies handling personal data to be accountable for managing such data.

GDPR provides for fines up to 20M Euro or up to 4 percent of global turnover for the previous 12 months, whichever is greater. In some instances, GDPR also provides for warnings, reprimands, or temporary suspension of data processing.  Worse yet, violations of GDPR can cause brand and reputation damage from customers complaining.