GDPR Overview, Scope, and Sanctions
The General Data Protection Regulation (GDPR) is the worldwide template for data protection, applying broadly to companies with EU assets and employees, companies selling to individuals in the EU, and data stored in the EU. Fines reach four percent of worldwide revenues.
More than 160 nations have enacted significant privacy laws, with recent activity in China, India, and Brazil. The first wave of modern privacy laws in the 1970s was based on Fair information practices (FIPs), which originated with the U.S. government. Today the worldwide template is the 2018 GDPR.
The EU requirements apply broadly to companies with assets and employees in the EU, to companies that sell to individuals in the EU, and to data stored in the EU.
Fines for GDPR violations can reach four percent of worldwide revenues. For a company with $1 billion in revenue the max is $40 million; for $100 billion it is $4 billion. These sanctions get the attention of top management.
Since the CJEU decisions known as Schrems I and Schrems II, the EU legal system has closely scrutinized the surveillance practices of countries receiving EU data - highlighting complexity in data flowing from the EU to the United States.
The GDPR introduced (1) requirements for processing data, (2) individual rights, (3) breach notification, (4) designation of DPOs, (5) sanctions up to four percent of worldwide revenues, and (6) rules for international transfers.