Cos with European Union ops face liabilities due to GDPR

GDPR in Europe

The European flag flatters in the wind past the headquarters of the European Central Bank in Frankfurt am Main, Germany.

Coming downstream over the last seven years, even if you've never heard of GDPR you will have undoubtedly felt the GDPR "bow-wave" over the last month, with your rapidly filling inbox raising awareness of the coming prelude. Fear of these fines motivates much of the work being done, of course, but GDPR already shows that regulation can help to tame the behaviour of the tech giants.

Under the new GDPR law, companies must gain freely given consent from users in order to use their personal data. If you're in the European Union, that is.

A report by the Ponemon Institute, which was published last month and examined more than 1,000 companies in the United States and European Union, found that two in five (40 per cent) thought they would not be entirely compliant until after 25 May, while a further 8 per cent said they did not know when they would be compliant.

Companies that offer apps and services in the United Kingdom and Europe - every firm from Spotify to Google - have to update their guidelines and even the core structure of their apps so that they're meeting these new privacy rules.

The regulations force companies to use the highest possible privacy settings by default. Whether those big fines actually materialise will depend on how seriously companies have taken their preparations and ongoing compliance.

The changes GDPR has brought build on the previous 1998 Data Protection Act, giving you more rights and protections around your personal data.

The GDPR is also staggeringly complex and could ensnare some US companies in foreign regulatory hell.

"Personal data is information that relates to an identified or identifiable individual".

First, they have to figure out if this applies to them. The digital advertising company Drawbridge, the social media tracker Klout and the save-it-for-later reading app Instapaper also stepped back. There are probably some businesses that don't realize that their mailing list is global.

They may also request to know why you are processing their data, how long will you keep their data for, and who else has been given their data.

While the law is created to protect people in the European Union, its impact will also extend to the some cases.

The GDPR could even affect small tourism-related business such as a resort or tour operator, because they have guests from all over the world.

Companies don't need consent to send marketing emails to existing customers.

If a business has a security breach in the United Kingdom resulting in the loss of your data, you have to be told as soon as possible.

Canada's new federal data breach regulations, for instance, which will be implemented in November, require companies to report security breaches that pose a "real risk of significant harm" to the federal privacy commissioner and consumers "as soon as feasible"-a less strict standard than the 72 hour timeline outlined in the GDPR".

For any business working with GDPR this is an astonishing success rate for resubscriptions and we are very grateful to everyone who has responded.

It's also important to note, though, that this will have a lot of downstream impacts on companies, and it's not clear what will happen.