The EU GDPR (General Data Protection Regulation) takes effect May 25. This change, designed to protect data privacy, applies to any organization collecting data on EU citizens, no matter the location of the organization.
Compliance is mandatory and will include strict protections on all technology that can collect data, staff training on privacy protection, and protocol in place in the event of a security breach.
New consent standards include the right for persons to withdraw their consent at any time. Sensitive data (personal preferences, beliefs, and biometric data) will require explicit consent from the user. No longer allowed to be buried in Terms and Conditions, companies must provide a full disclosure of the following:
- What data is being collected
- Who is collecting the data
- The purpose for collection
- How long data will be stored
Companies will also be required to report data breaches, and those that engage in large scale systematic monitoring or processing must appoint a Data Protection Officer.