The General Data Protection Regulation (GDPR) is a law enacted by the European Union (EU) that governs the privacy, protection and reporting of personal data. GDPR was approved by the EU parliament on April 14, 2016 with an enforcement date of May 25, 2018. The law “applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location,” and so it has a global impact.
The fines for violating the GDPR can be significant and the maximum penalty is the greater of 4% of annual turnover or €20 million. Some of the key requirements of GDPR include:
Breach Notification – GDPR compliant organizations must notify end users of any data breaches within 72 hours of first coming aware of the situation.
Right to Access – Compliant companies must provide the personal information stored about each end user and information regarding how the data is being used and where it is stored on request by the data subject.
Right to be Forgotten: This requirement entitles a data subject to have his/her personal data erased and have it no longer disseminated to third parties or exposed to third party processing.
Data Portability – This rule requires GDPR compliant companies to provide end user data in a commonly used and machine readable format” on-demand allowing users to take their data to another data user.
Privacy by Design – Privacy by Design requires the inclusion of data protection at the onset of system design versus being added later.
Data Protection Officers – DPOs are mandatory for those companies whose core activities include systematic monitoring of customer data on a large scale or hosting data relating to criminal convictions and offenses.
Learn more about GDPR compliance.