GDPR is a fairly new European Union law, but it ultimately affects how we do business everywhere in the world. The European Union's General Data Protection Regulation will fundamentally alter how we collect and use personal information on EU residents.
What is GDPR?
To better understand the implementation and impact of GDPR, we're detailing its guidelines below. Get to know GDPR with these need-to-know facts of the law:
General Data Protection Regulation:
What you need to know
"Personal data," is now defined more widely and includes online identifiers such as internet protocol or IP addresses.
Effect Beyond Region
The law applies to entities that are established in the EU; offer good and services in the EU; or monitor the behavior of individuals in the EU. So, even a company without a presence in the European Union may be subject to the requirements.
GDPR sets a high consent standard for processing (collecting, using and storing) personal data. The consent must be unambiguous and involve a clear, affirmative action. Silence, pre-ticked boxes or inactivity cannot be used to imply consent. People also must be able to revoke consent easily.
Breach Notification Mandates
GDPR requires a data breach to be reported to the EU data protection authority "without undue delay" and where feasible, within 72 hours of awareness - unless the breach is not likely to put the rights and freedoms of affected individuals at risk.
Privacy by Design
Data privacy must be considered from the outset when new technologies are designed. Companies using people's data must conduct privacy-impact assessments on any potentially "high-risk" processing - for example, when using new technologies.
Expansion of Individuals' Rights
The new law bolsters existing rights of individuals and introduces new ones, such as the right to be forgotten and the right to data portability (transfer of data to another party).
Failure to comply with GDPR requirements can lead to fines of up to £20 million (about $24.6 million US dollars) or up to 4% of the annual global turnover of the previous financial year.
Data Protection Officer
GDPR requires appointment of a data protection officer if an entity's "core activities" involve regular, large-scale processing or monitoring of individual's data - in particular data related to criminal convictions or offenses.
GDPR will become law without legislation in each EU member state. This means more harmonization on data protection requirements.
There's a lot to know, so we've put together a cheat sheet to help get you started: Download GDPR Fact Sheet