The General Data Protection Regulation (GDPR), a set of broad internet privacy laws, went into effect on May 25th across the European Union.
The law, which includes large fines for violations, “supersedes various national privacy laws”, meaning it can affect US companies doing business in the EU. The main goal of the regulations is to pretect customer data, and to ensure companies are appropriately handling and storing this data.
Fortune outlined some of rules firms must comply with:
- Allow customers to see and delete the data that concerns them
- Provide notice of data breaches in 72 hours
- Make data policies transparent to an average person (ie don’t hide privacy stuff in legalese no one reads)
- Hire a Chief Data Office in some cases
- Follow “privacy by design” principles
Fortune goes on to say that “the rules are different depending on the data in question”. Certain categories, such as medical records and children’s data, may be subject to stricter regulations than less sensitive types of information.
Employers should familiarize themselves with the regulation, as well as with where and how their firm stores customer and client data. While regulators are likely to “go slow” at first, every company is susceptible to fines.
For more on these changes, please click here.