There's very little doubt that the General Data Privacy Regulation, a.k.a. the GDPR, has created an onerous burden on companies that do business globally, especially on the web.
However, recent reports about how tech giant Facebook handles GDPR reporting might make you think twice about how your company is operating. Apparently, Facebook is under the impression that the 72-hour reporting requirement (companies must report data breaches within 72-hours per the GDPR) doesn't get triggered until after the company determines that the breach falls under the GDPR.
Decisions Take Time
As reported by Forbes, Facebook took two months to decide whether a recent data breach required being reported pursuant to the GDPR. As stated above, the company has interpreted the E.U. law to require companies to report within 72-hours after determining that a breach must be reported, not within 72-hours of the actual breach (or discovery of the breach). The report further explains that this is a slippery slope that, if put in practice across the board, could effectively nullify the reporting requirement as companies could deliberately take years, rather than days or months, to determine whether a breach requires reporting.
This position seems rather novel and likely won't be the best path for most businesses, which, unlike Facebook and other tech giants, don't usually have unlimited funds to push back against regulators in Europe.
Generally, the GDPR requires companies to get explicit permission to retain, use and share private data gathered from individuals in Europe. Additionally, it requires the companies that do so to also have strong cyber-protections against data breaches, and for data breaches to be reported promptly.
Notably, companies outside the E.U. are subject to the GDPR if any of the user data that gets retained comes from a country in the E.U. So that means a simple ecommerce business is subject to GDPR if they ship their product to any country in the E.U.