General Data Protection Regulation (GDPR)
The European General Data Protection Regulation (EU-GDPR) is a security framework by the European Union designed to protect its citizens from personal data compromise.
All businesses processing data linked to EU citizens, either manually or through automated mechanisms, must comply with the GDPR.
Examples of data processing include:
Website form submissions.
Collecting cookie data from web visitors.
Sending marketing emails.
Storing IP addresses.
Posting photos or personal details about an individual on a website.
Shredding documents contained personal information.
The GDPR outlines separate security guidelines for both data controllers and data processors to secure the entire lifecycle of user data.
Is Complying with GDPR Mandatory?
Yes. The EU mandates GDPR compliance for financial services collecting or processing personal data from EU residents, regardless of the physical location of the business.
For example, a business selling a SaaS solution to an international customer base - including Europe - would need to comply with the GDPR even if the business's headquarters are located in the United States.
According to a PwC survey, 92% of U.S. companies categorize GDPR compliance as a top priority.
GDPR compliance for third-party vendors is most efficiently tracked through GDPR-specific security questionnaires.
What are the penalties for not complying with GDPR?
The maximum fine is €20 million (about 23 million USD), or 4% of annual turnover (whichever is larger).