The new European Union General Data Protection Regulation (GDPR) (Regulation 2016/679, Apr. 27, 2016), will replace the Data Protection Directive (Directive 95/46/EC) effective May 25, 2018. The GDPR has been a long time coming and introduces a host of new requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States.
The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality.
The new rules empower individuals by, among other things:
- Providing easier access to personal data and more information on how data is processed,
- Facilitating data portability, or transfers of personal data between service providers,
- Clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and
- Requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.