What is GDPR?
General Data Protection Regulation (GDPR) is a recently adopted European Union (EU) law covering data protection and privacy rights for EU residents (data subjects). GDPR also addresses the export and use of that personal data outside the EU. This means that companies and organizations established outside of the EU which offer services to, and/or manage the personal data of EU residents could also be affected by this regulation. The law goes into full effect on May 25, 2018 and enforcement includes potentially heavy fines for violations.
GDPR replaces the Data Protection directive, and has binding legal force in every member state. Member states do not have the discretion to decide how to transpose the regulation into national law. Some important differences introduced by GDPR over the previous directive, are:
- An organization has only 72 hours to report a data breach to its national regulator.
- One of the factors in calculating penalties and fines is the annual revenue of the organization.
- Individuals have new rights such as the right to erasure and the right to portability, among others.
GDPR introduces the Data Protection Impact Assessment to estimate the impact of changes or new actions. Affected organizations must actively take steps to get compliant with GDPR, such as awareness and training for the data privacy officer and other employees, make arrangements to track their data, set a process in place for quick breach reporting, ensure that consents are taken from data subjects as needed, be able to respond to access requests promptly, and more.