The General Data Protection Regulation (GDPR) was passed in May of 2016 and comes into force exactly five months from Christmas Day on May 25, 2018. The aim of this regulation is to strengthen and unify personal data protection for all citizens (and residents) in the European Union, and to allow them to control their personal information (data). This personal data must be protected according to a number of articles in the regulation, and also applies to non-European organizations that process the personal data of EU citizens.
According to the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” As can be seen, this list covers just about everything!
One of the big requirements that is going to affect US organizations that do business with EU persons is their “right to be forgotten.” This means that EU citizens and residents can request that their personal data be removed from corporate databases in a timely manner. If this cannot be done, they have the right to know exactly why not.
Unlike HIPAA/HITECH, non-compliance with the GDPR can lead to some major league fines: in some cases, up to 20,000,000 Euros or 4% of the annual worldwide turnover of the preceding financial year of the organization (whichever is greater). I think that fines on this level show just how seriously personal privacy is being taken in the EU.
This new regulation just illustrates the pressing need for organizations to know how data flows across and is stored on computer networks. If you know exactly where personal data is and how it flows, you can deal with it. If you don’t, better get ready for some trouble ahead!