The General Data Protection Regulation (GDPR) is a broad and comprehensive European Union (EU) data privacy law going into effect on May 25. This is a great example of the law trying to catch up with the technology and our digital lives. In essence, the GDPR is creating fundamental digital rights for EU residents and compliance is mandatory for organizations controlling and processing the personal data of EU residents. Thus, the scope of the law applies to entities outside the EU if they offer goods or services to EU residents, or monitor the behavior of EU residents. For example, if a U.S.-based social network or e-commerce website processes personal data of an EU resident, they would be subject to GDPR law. This is a progressive law that should eventually be adopted in some form in the United States. Privacy and data protection is at the heart of the regulations. The GDPR further requires that companies handling personal data to be accountable for managing such data.

The GDPR provides for fines up to 20 million euro or up to 4 percent of global turnover for the previous 12 months, whichever is greater. In some instances, the GDPR also provides for warnings, reprimands, or temporary suspension of data processing. Worse yet, violations of the GDPR can cause brand and reputation damage from customers complaining.