General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection that affects the European Union (EU) and the European Economic Area (EEA). The GDPR's main goal is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation contains provisions and requirements relating to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise, regardless of its location and the data subjects' citizenship or residence, that is processing the personal information of data subjects inside the EEA.

Processors of personal data must use appropriate technical and organisational measures to implement the data protection principles. Business processes that handle personal data must follow the principles and provide safeguards to protect data (for example, the full anonymisation pf personal information where appropriate). Information systems must be built with privacy in mind. For example, using the highest possible privacy settings must be used by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the GDPR (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state for how long the data is to be retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a controller in a common format, and they also have the right to have their data removed under certain circumstances. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for adherence to the GDPR. Businesses must report data breaches to national supervisory authorities within 72 hours if they have an detrimental effect on user privacy. In extreme circumstances, violators of the GDPR may be fined up to €20 million or up to 4% of the annual turnover of the preceding financial year in case of an enterprise, whichever is the greater.