The EU General Data Protection Regulation (the “GDPR”) is scheduled to go into force on May 25, 2018. The GDPR replaces existing data protection laws throughout the EU, and tightens the requirements that apply to businesses that collect and use personal data. While a full understanding of the GDPR is beyond the scope of this blog, in brief:
- It applies to any organization established in the European Union or offering goods and services to people in the European Union.
- In general, it requires that the organization have clear, affirmative authority, through an opt-in or the like, to process personal data (except in some cases to carry out an on-line agreement or pay for on-line goods and services).
- The personal data can be retained for only so long as needed.
- The organization must give a privacy notice meeting certain requirements to customers.
- The GDPR specifies data subjects’ rights, such as the right to be forgotten.
- The GDPR requires organizations that are outsourcing data processing tasks to have written agreement in place that meets certain requirements.