The GDPR is more than an update to the European Union Data Protection Directive (DPD). It also adds greater urgency to compliance given the potential for fines of up to 4% of an offending company's annual revenue or 20 million euros, whichever is higher.
Sowing fear, uncertainty and doubt (FUD) may not have been the intention behind the GDPR. But many businesses will have much to fear in the uncertainty of how strictly GDPR privacy rules will be enforced, as well as doubt over what actions will trigger the highest penalties.
Much of the GDPR -- as with the DPD before it -- focuses on best practices for data privacy as well as information security, but two new GDPR requirements will be challenging for even the best-defended enterprises: prompt breach notification and "the right to be forgotten."
Under the GDPR, companies will be judged not on how well they check the compliance boxes, but in large part on whether or not they are able to perform these two functions under the pressure of customer demand or an ongoing breach.
We don't yet know how the GDPR will be enforced and just how bad a violation will have to be to trigger the harshest penalties. But what is clear is that the new law requires organizations be far more responsive to these situations.
If a company fails to do prompt breach notification, it won't matter if it has audits certifying its compliance with GDPR privacy regulations. Likewise, if an organization hasn't checked off all the compliance boxes -- but is still able to scrub its databases in response to requests to be "forgotten" by consumers -- it may be able to avoid penalties.
With GDPR, the EU is sending a signal to enterprises: Do the right thing for your customers, or suffer the consequences.