The European Union (EU) General Data Protection Regulation (GDPR 2016/679) will take effect on May 25, 2018. This regulation provides general guidance on what is needed for compliance, however many policies and procedures are still being written.

The main purpose of the regulation is to protect the personal data of EU citizens and will apply to the processing of this data by data controllers and data processors regardless of whether the processing takes place in the EU.

The regulation provides individuals with the following rights:

  • Rights on the collection, use and disclosure of their personal data
  • Right to obtain information about whether their personal data is being processed and if so, where and for what purpose
  • Individuals shall be provided with opt-in rights for the use of their data and in addition, entities are required to document their opt-in procedures

Entities are required to:

  • Give prompt notice of data breaches
  • In situations where notification of a data breach is mandatory, notification must be made within 72 hours of first becoming aware of the breach
  • Data controllers and processors must document their standard practices for processing data and their system for receiving and managing individuals’ requests about their personal data