The General Data Protection and Regulation (GDPR) is an EU regulation on data protection and privacy in the European Union, the European Economic Area, and the United Kingdom. The law regulates how organizations protect the personal data of people residing in its protected areas. The purpose of the GDPR is to give individuals control over their personal data and simplify the regulatory environment for international business. The GDPR was adopted on April 14, 2016, and became enforceable starting May 25, 2018.
Under the GDPR, business processes that handle personal data must provide specific safeguards to protect that data. Data controllers must design information systems with high levels of privacy so subjects cannot be identified through publicly available datasets. No personal data may be processed unless done under one of six lawful specified bases: consent, contract, public task, vital interest, legitimate interest, or legal requirement. Data controllers must also clearly disclose data collection to the user, declare the lawful purpose and basis for processing, and state how long the data will be held and if it will be shared with any third parties. Additionally, businesses that experience a data breach must report the breach to national supervisory authorities within 72 hours if the breach could negatively impact user privacy.
While the GDPR is written to protect those countries in the EU and EEA, institutions and organizations outside of those areas must also follow its provisions and are not exempt from facing the consequences of non-compliance with GDPR. Non-EU organizations need to implement, staff, and run systems to continue offering their services to the EU market. Any transaction between a consumer physically located in a GDPR country at the time of the transaction and an organization located anywhere in the world is subject to the terms of GDPR. This is true even if, for example, the consumer is a Japanese tourist visiting France and the organization with which they interacted is based in North America.
Europe's data protection system, GDPR, applies to the United Kingdom, European Union nations, and countries within the European Economic Area.