The GDRP plan is a set of rules that require companies to notify regulators about data breaches within 72 hours and keeping transparency for users on what data is being collected and for what reason. One of the biggest game changing rules to privacy is the right for EU residents to request access to review personal information gathered by companies. They will also have the power to request information to be deleted, correct incorrect information, and even have the information delivered in a portable form. When these requests are submitted, a company has 30 days to respond. However, if that company is not yet GDPR-compliant and incapable of responding, the data subject can then file a complaint with their local regulator.
Regulators are required by the GDPR to enforce the law. Regulators can fine companies up to 4% on their global revenue for violations of GDPR. Though 4% sounds small, a 4% fine on Amazon would cost them $7 billion. In Amazon’s case, although they report huge revenue, they have relatively small profit and would cost them over two years of profit. The GDPR won’t let regulators do nothing even if they are not ready to audit a company’s security or figure out how to protect EU residents affected by a breach.
Even though the GDPR is only applied to the EU and EU residents, many American technology companies do business in Europe and are rushing to become GDPR compliant as well. Americans cannot make data subject access requests however, nor can they request data to be deleted. But GDPR compliance is going to have spillover effects for them. As companies rush to keep up with the new regulations, it’ll only be a matter of time before all the pieces settle in place and keep up with the flow of the privacy protections of GDPR.