Article content continued

GDPR is one of those things that you’ve either never heard of, or you’re sick of it because people who care about privacy and digital information policy just won’t stop talking about it in superlatives.

“It’s going to change the world,” said Ann Cavoukian, a former Ontario privacy commissioner and now distinguished expert-in-residence at Ryerson University in Toronto.

GDPR applies to any company anywhere in the world that collects or processes any information relating to an identifiable resident of the European Union.

For example, any website that asks for a name, email address or any other potentially identifiable personal information needs to be GDPR compliant, or the company is tempting fate.

Photo by Alex Flynn/Bloomberg

Under GDPR, the potential penalties for non-compliance are immense. For the worst offenders, European regulators are empowered to levy fines of up to 20 million euros or four per cent of a company’s annual global revenue — whichever is greater.

Europe’s new rules come at a time when data breaches are becoming almost mundane. In April alone, Saks Fifth Avenue disclosed that hackers stole credit and debit card information on 5 million people, and a security researcher revealed to a Canadian parliamentary committee that he had discovered a data breach of 48 million people’s personal information.

Neither story caused much more than a ripple, but the Cambridge Analytica scandal sure caught people’s attention.

Facebook Inc. profile information on 87 million users was improperly obtained by Cambridge Analytica, which reportedly attempted to make psychological profiles of users in an effort to influence the U.S. presidential election for Donald Trump.