From May 25th 2018 onward, companies face fines of the greater of 20 Million Euros or 4% of global revenue if they are out of compliance with the new personal data protection legislation enacted in the EU. The General Data Protection Regulation (GDPR) Act is a law that is designed to give an EU citizen full control over their personal data and how it is used, and to hold global entities to account should they mismanage the information.

Key features of the legislation include:

1. The need for "affirmative consent" from a citizen to store / use their data. This means an "opt in" is required and consent can no longer be defaulted. There is also a requirement to provide evidence of that consent if requested.

2. Citizens will also have the right to receive copies of all data held on them, including that provided to third parties, within 25 working days.

3. A new "right to erasure" on request of all personal data held on an individual.

4. In the event of a data security breach, companies must report that breach to the relevant Data Protection Authority (DPA)

This legislation applies to companies outside the EU if they gather data on EU citizens, so US companies are also impacted by this requirement.

Action Recommended: If you have not already done so, perform a risk evaluation and impact assessment of these requirements and your readiness to meet them. Although initial unintentional violations will result in warnings, maximum fines of 20 Million Euros or 4% of global revenues warrant a serious examination.