General Data Protection Regulation (GDPR) is a set of rules enacted in the European Union (EU) that governs personal data. GDPR applies to the collection, storage, and transmission of data as it relates to a person. Its purpose is to protect citizens of the EU from the misuse and theft of their personally identifying information. It was enacted on April 14, 2016.
The GDPR defines "personal data" as:
'Personal data' means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information protected by the GDPR includes a person's name, age, gender, mailing address, e-mail address, and medical history. It even protects their likes and dislikes (for example, what movies, music, or types of food they like, who their Facebook friends are, and what Twitter accounts they follow).
Organizations within and outside of the EU must adhere to GDPR when collecting, storing, or transmitting personal data pertaining to citizens of the EU. Businesses must abide by GDPR in regards to both customers and employees.
Any individual or business that handles personal data had until May 28, 2018, to begin following the GDPR rules. A two-year "grace period" exists to ease the transition to GDPR.
Some of the new laws GDPR enforces include:
- Companies must provide the ability for people to view, download, and delete data about themselves that is stored on a company's servers.
- If a company has a data breach, it must be disclosed within 72 hours of being discovered.
A business found in violation of any of the new laws is subject to fines as high as 20 million Euros or 4% of the company's global revenue.