Ah, repercussions! If, like most proficient smartphone users, you have a plethora of mobile apps that facilitate your banking, communication, travel, and shopping needs you have undoubtedly been swamped with prompts to accept new privacy policies from your apps.

Who to thank?

The EU, actually.   Prior to the Facebook debacle, when news outlets exposed the misuse of personal data culled from the social media giant’s site, privacy policies prevailed… to an extent. But once the user data ended up in the hands of the political consultancy firm Cambridge Analytica, adherence to the rules of the game changed.

The General Data Protection Regulation (GDPR), a European Union legal framework adopted well before the Facebook data breach, established guidelines for the collection and processing of personal data and privacy of EU citizens. The very recently updated GDPR replaced an obsolete data protection “directive” created way back in 1995. The Facebook breach led to further evolution; a mandate was issued requiring full implementation with stricter rules, and took effect on May 25th2018.

The additional regulations put consumers back in control of their personal information. Who could have thought a small business owner in Poland – or even the United States – would have their business seriously impacted by legislation revised in Belgium?

While following the new regulation is obligatory in the EU, repercussions are worldwide. The rigorous rules have multinational companies scrambling to ensure system compliance less they lose their customers across Europe. If you’re wondering what has a non-EU based company is scrambling, simply refer to Article 3 of the GDPR.  As Forbes plainly interprets, under the “territorial scope” clause of Article 3, “if you collect personal data or behavioral information from someone inan EU country, your company is subject to the requirements of the GDPR.”

The good news? The law only applies to companies if the consumer is in the EUwhen the data is gathered. An EU citizen whose data is collected while outside the EU is not protected under the GDPR.

A collaborative effort among several European nations, likely led by Germany where data privacy is held in especially high regard, the GDPR is composed of several key components allowing consumers to control their data. For example, at some point we’ve all “unchecked” the opt-in box to receive marketing material/ data sharing upon registering at a new website. Under the expanded GDPR, the opt-in boxes will no longer be pre-checked. Agreement now requires a positive opt-in.

Full details on user protection and privacy, as well as compliance tips, can be found here.

Not surprisingly, backlash and controversy prevails. Some feel innovation would be stifled through the lack of data access used for artificial intelligence and machine learning. Furthermore, law enforcement may be hampered by a lack of data sharing.  A recent piece in the Wall Street Journal refers to the GDPR as, ”The EU’s Gift to Cybercriminals,” since police little or no access to vital crime solving data.

Either way, considering the implications – and hefty penalties- for non-compliance it looks like company data security officers will certainly have their hands full.