The GDPR (General Data Protection Regulation), which took effect on May 25, 2018, is a regulation designed to increase protections around the processing of personal data of individuals in the European Union.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches and give them more control over their personal data. It affects not only organizations located in the EU but any organizations outside the EU that process and hold the personal data of EU citizens.
A major focus of GDPR is on conditions of consent that have been strengthened. Under the new regulations to be able to store and process someone’s personal data organizations must obtain explicit consent. Organizations are no longer able to use vague and confusing statements to obtain consent.
In addition, it is mandatory that organizations notify customers/users of any data breaches. This must be done “without undue delay” after first becoming aware of a data breach.
Also, EU consumers have been given a set of data subject rights that gives them more control over their personal data. (see “What are your rights under GDPR?”).
Organizations must also appoint a Data Protection Officer (DPO) if their “core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.”