On May 25, 2016 the European Parliament entered into force the General Data Protection Regulation or GDPR. The Regulation will have a significant impact on organizations in all industry sectors, bringing with it both challenges for compliance as well as opportunities to achieve competitive advantage.
The GDPR is the new sweeping European Union (EU) legislation that modernizes and reforms the laws that address the handling of personal data. It replaces the European Data Protection Directive (95/46/EC) which was implemented inconsistently across Europe and did not have legislative authority.
Stricter consent rules
The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.
Enhanced rights for data subjects
Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.
Data breach notification
Organizations must notify those whose data has been breached, within 72 hours of the breach.
Increased accountability measures
There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.
Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.
One of the biggest tenets of the GDPR is the principle of data minimization, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.