The General Data Protection Rule (GDPR) is a European Union (EU) law that establishes mandatory requirements for all organizations (and persons) storing and processing personal data of Data Subjects (EU residents) and grants unprecedented rights to Data Subjects, including:
- The right to data portability: Data subjects can request that organizations processing their information provide a copy of that data
- The right to access to information: Data subjects have the right to access the information stored by the organization
- The right of correction: Data subjects can request corrections to their information.
- The right to be forgotten: Data subjects can request that their data is deleted, given no superseding laws prevent that action
GDPR has a broad definition of Personal Information (PI) that, aside from names, addresses, emails, phone numbers, and identification numbers, includes IP addresses, GPS coordinates, mobile device IDs, browser cookies, and any other elements that may directly or indirectly identify a person. Additionally, GDPR requires organizations to have a legal basis for processing and storing personal information. The six legal bases provided in the law are:
- Data subject’s consent
- Performance of a contract
- Compliance with legal obligations
- Protection of the vital interests of a data subject
- Performance of a task carried out in the public interest
- Legitimate interests of the organization or third parties
Organizations are also required to protect Data Subjects’ PI and provide a notification to the Supervisory Authority within 72 hours after a breach has been discovered. GDPR establishes significant fines for non-compliance, up to €20 million, or up to 4% of the annual worldwide revenue of the preceding financial year, whichever is greater.